Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Asymmetric Warfare’ Category

The Widening Gyre: Putin’s Asset Sets Multinational Norms On Fire and Begets Global Negative Actions

leave a comment »

We are beginning to reap the whirlwind in the news cycle from the election of Trump and his breaking of norms that this country and the world have come to rely on. This is exactly what Putin wanted, a country in the midst of a political and social rift that takes our eye off the global ball and allows for negative actions to be carried out without sanction. We have seen Trump set the constitution on fire, the Judicial body of the United States, the Economic norms, and generally break up the balance of power in the world. This has allowed Putin to have greater freedom to act and in turn now others feel empowered.  China, North Korea, Syria, and most recently Saudi Arabia have taken actions that would in normal times, possibly not been acted on were the nations not at odds generally due to America’s abdication of its role.

Let’s cover some of the things going on…

RUSSIA:

Putin is still working the levers of power and in so doing he is still making moves on Ukraine all the while leveraging the problems in Syria as well. His actions are two fold, first to annex Ukraine altogether if he can. If he can’t then he will continue to fight with disinformation and active measures campaigns until he has more control over the area even if he cannot all out annex them back into Russia proper. Meanwhile, in Syria, Putin is leveraging Erdrogan and the battle there with da’esh to gain a foothold in the region and have a friendly dictator he can someday use as a proxy against others in the world.

Meanwhile, Putin keeps having his enemies killed off in interesting ways. The list has been topped off as of yesterday with an oligarch who ran afoul of him being found in a park choked to death by a dog leash.

…. A dog leash….

Now that is a metaphor huh? Putin will continue on liquidating his problems with impunity because the norms have all been broken because of Trump. The U.N. NATO, all of the normative bodies have been rebuffed by Trump and weakened. All that is lacking now is an assassination of a Putin enemy on American soil for his win to be complete. Putin pulled a master stroke in helping Trump win. Even so, don’t believe for a second that Putin isn’t also waiting to not only use Trump more, but if Trump begins to fail him he will continue to perform flyovers in our air space like he has been with the BEAR FOXTROTS over Alaska and likely will become more aggressive. I have yet to hear anything about SSN activity but be assured they are there… Waiting.

CHINA:

China has upped it’s espionage games since Trump started his little trade war with them. Recent events have shown a rise in hacking and phishing campaigns that had slowed down since the Xi and Obama agreement. That’s over now though and with the trade war heating things up, and rankles the core ideal of China to be an economic superpower, we are going to see not only more hacking and phishing with a side of theft of IP but also now classical espionage tradecraft to carry out the same goals. All of this will only escalate against the US as we move forward and likely set more things on fire by Trumps economic disaster plan.

MEANWHILE…. China feels empowered too because of all the fractiousness in the world’s governing bodies and has made the ex INTERPOL chief disappear while in China. Gee, China is now feeling like they can just disappear the head of an international investigative body.

Nice.

As all of this is going on we also have coincidentally, the arrest of an MSS asset in Belgium for economic espionage against the US aerospace community. Hmmmm gee, what a coincidence that this happens as the INTERPOL chief is disappeared. As you can see, and perhaps make the connections yourselves, it may be that the MSS is reacting to the impending arrest and or extradition of their asset by grabbing another as a warning?

Hmmm….

Yes, expect more to come out of China with the worsening of the trade wars as well as the eroding of the worlds norms on illegality.

Thanks Putin and Trump!

Oh yeah, and I forgot to mention the whole South China sea thing too…

 

SAUDI ARABIA:

Next up, Saudi Arabia seems to have lured a Washington Post reporter to Saudi only to kill and perhaps dismember him in an embassy there. Saudi has never before been as bold and I directly point toward the breaking of all the norms and groups for this action too. It’s been pretty blatant and I suspect there will be no sanction over this. I mean, look, it’s Saudi right? OPEC, oil? Not to mention that Trump was basically setting himself up to be their stooge since the beginning. Nope, nothing will come of this and now the Saudi’s have killed an Saudi journalist working for an American news org.

I also want to mention the whole glossy magazine that was put out by Trump’s friend David Pecker back last summer. What was this all about? Well, it seems that that was a PR move to make the house of Saud more accessible to the US consumer? Put another way, the new crown prince wanted to look progressive and hip and with the help of Pecker they tried real hard. It’s just that this mark was missed with this publication. In fact it only made an already wary populace start asking questions as to why this happened and what kind of conspiracy was afoot. Expect more to come out of this Saudi reporters death and it will likely not be pretty. If they get away with this, and I think they will, then expect Saudi to pull some more stunts in the future as the crown prince get’s more bold.

TRUMP REPUBLICANS:

Finally, the TRUMP party, I really don’t consider them Republicans anymore, will continue to push the limits of the nations norms and laws until they are just removed from power. The events around the recent SCOTUS nomination and confirmation of Kavanaugh are a clear example of how the Trump party is abusing their control over the house and senate to get whatever they want over what the governed wants. The Kavanaugh thing is just the most naked misuse of their power though to date and I am sure more will be coming once Trump replaces Sessions with a minion under his control. This will set the trifecta into play; DOJ under his control, SCOTUS under his control, and Mueller with a new target painted on his back.

I fully expect that when this happens the Russia investigation will be liquidated and the Trump party will lock arms and say that this is not a constitutional crisis. Of course then the DOJ will agree and SCOTUS will concur. It will all disappear at least legally right? This is Trump’s greatest desire and it seems more and more likely that this can happen because of the Kavanaugh ascension. An alternate timeline to this would be that Trump allows the investigation to finish but then has Kavanaugh in his pocket to be the deciding vote on whether or not a sitting president can be indicted.

Either way, it seems that if Trump can replace Sessions with a partisan minion, we are all doomed.

Even more worrying is the upcoming mid term elections. If the Trump party continues to be in contol, expect to look fondly at the times of outrage over Trump’s mild bad actions because he will feel empowered to do even more bad things if he has total control.

Once again, thanks Putin.

We are at a tipping point here and not just with regard to climate change kids.

K.

Written by Krypt3ia

2018/10/11 at 13:38

Russian Phish on Hudson Institute & IRI Org: Filling In The Gaps

leave a comment »

So Microsoft proclaimed that they had taken down some domains and stopped the GRU/SVR from carrying out some more active measures against the US election cycle. Now, they obviously have some more intel than they are letting us all know about because while the domains are definitely set up for some gov spearphishing, we don’t have any emails or data to show they actively had a campaign running. The domains (see below) are concerned with two think tanks that have a plethora of data that the Russians would want to have and perhaps tinker with but the government domains are aimed squarely at the Senate.

 

While the domains that are meant to typo-squat the think tanks are around one hundred days old, the senate domains are much older. In fact, these domains have been creepin around anywhere nearly a year to just over a year. So you can see where the Russian services were aiming and have been planning for at least a year plus on the senate campaign. The think tanks are a newer though and as such I have to wonder about the thought process by the GRU/SVR on these. Were the Russians looking to simply gain access to these think tanks and gather intel not just on their Russian stances but also around the world as the Russians have done before (mostly by the SVR collections missions) or was their plan to somehow steal their data and leak it as part of the larger active measures campaigns?

It seems though from my searching that the domains never had any real pages attached to them but for one having an IIS front end with nothing else. Wayback machine fails on all of them as does Google, so I am going to assume that these were all just domains used as C2 for traffic and perhaps a drive by attack in the case of one that showed up in VT and Hybrid (see above) but I could find no malware being attached to these domains with these tools. This is not to say that they didn’t and that people clicked on links and got infected at the Senate or these think tanks. I guess we will have to wait for Microsoft to elucidate some more on these.

 

But, back to these think tanks and the phishing that likely was to come or already happened. I am going to assume they already happened and that is how these domains were picked up because something happened internally and got reported? I MS paying that much attention to domains or is it they were seeing O365 traffic (phish) and caught on? As I remember reading so far they really don’t tell us how they got the tip off but they must have had evidence because they took over the domains. In this section though, I want to focus on the why and the what of the active measures here by the Russians. Why these two think tanks? What were they going to do with the access one wonders. Or would this have been in tandem with the senate domains luring those being phished to an IRI report? It turns out that IRI (International Republican Institute) put out a press release on the revelations on their domain squat.

I guess that either IRI could be phished itself as well as this as well as the other org squatted (Hudson Institute) could be not only the targets of phish using these domains but also used as fodder to entice Republicans as well as perhaps Democrats to click on a tasty link and either get a drive by or be linked to a credential phishing site. As the DNC attacks I believe were credential harvesting sites, it is likely that this would be the case for all these entities were the Russians looking to gain a foothold on any of them. I am gonna say though, that the domain my-iri.org and the sharepoint domain for hudson.org  says that they were looking to fool internal folks into clicking on something. As to the other domains it looks straight up like internal users being targeted.

So what would the goals be here with these? If you were to go after their internal systems and the fellows there what would you be looking for? I am going to say this too would have been a fishing expedition for information that the Russian government could use to destabilize all kinds of places as well as to understand how the think tanks were approaching Russia. If you look at the image at the top of the page you can even see how Hudson has a paper on countering the Kleptocracy. My concern here would be that not only would the adversaries be looking to steal information but also to pull the same kind of job on these orgs that they did to the DNC. Basically, I think it would be a disinformation campaign against these orgs to cause instability in their content and their following. I could also see tinkering with their reports as well as a means to make them untrustworthy. An added bonus to this also would be collection on any collaborators that the Russians might want to eliminate in country if the emails have source conversations too.

Of course now we are hearing that the Russians are attacking not only Dems but also Republicans and it is important to remember that their goal is to sow chaos and cause division. This is because if they can cause these things, the outcome is to have inaction as well as possibly traction for those like Trump that they are actively supporting with these kinds of active measures as we saw in 2016. So, there you have it, unless Microsoft and others care to give us some more information to work from this is pretty much all you can glean from their motives by proxy of their domains. You can see though, that they have been working on these plans for some time, at least a year for the think tanks and over a year for the senate campaigns.

 

In closing though, I want to just say that it would be real easy for the Russians to get the conventions of the email addresses as well as who to target at these institutions just by using LinkedIN. I did some cursory searches in Google and LI and came up with shovels full of names and email addresses to use. It’s phishing season kids! I do wonder just how much security training these people have….

Hmmmm…

K.

Written by Krypt3ia

2018/08/21 at 18:28

The Insider and The IRA Data That’s Been On Auction For Over A Year

leave a comment »

Today a tweet was directed at me concerning some new information posted on a Russian news site back on February 21st that no one in the US media seems to have noticed nor the NATSEC community. In fact, I had not seen this and I kinda have chided myself for not paying better attention to the Joker Buzz site that the data was for sale on, for a year! I had actually been on their site(s) in the clearnet and darknet and thought I had posted a blog about the notion of the site and what they sell but I can’t seem to locate it. I guess maybe I just tweeted about it and moved on …My bad.

Anyway, the post on The Insider has the skinny on how a user there named “AlexDA” had ALL of the IRA’s internal documents on the active measures campaign for sale for over a year and no one really took notice. This means that we could have bought the data and had all of the actors, their data, and their METADATA if we had only seen or purchased them back in January/February 2017. What’s more is that had we had this intelligence in the open much more could have been easily available for the general public to be aware of how this was all working and what to look for. Of course now after the Indictment by Mueller of the 13 entities the op has been completely blown and the infrastructure is likely not to be operational, but, we could see operational details and OPSEC mistakes that the players made and extend that to the upcoming years election cycle and Russian influence and active measures campaigns to come right?

Even so, big things are in the small details even within the offering itself that AlexDA is making on JokerBuzz. I have been going through the images from the auction site that Alex put up to entice and prove that they are legit and here is what I have found by doing my thing as usual mining:

Proxy IP Space Used:

In the offering images you can see that AlexDA tried to obfuscate the last couple octets but if you look real hard you can see the numbers pop up. Of course if you just take the first two or three octets and you put that into Google you can see what pops right up. So, the first thing to see is that the service mentioned in the indictment is actually Total Server Solutions LLC out of Plano Texas. I would like to call your attention to how much “Texas” was involved in many of the Twitter and facebook accounts that were super patriotic. It was mentioned in the indictment that they rented the server space to appear that they were in the US. Well, there you have it kids. The data fits and it makes sense that they would try to do this to appear as if they were in the US to fool first pass looking right? I ran an Nmap of the /24 and as you can see if you look, there are some proxies, port 80 and 22 open but none are available to access at this time, so maybe they went back to being just space owned by Total server… I would hope though that those there servers had been, ya know, collected on by subpoena by the FBI right?

Wink wink nudge nudge.

 

Meanwhile, there’s a bunch of servers/IP’s listed in the images as well that are in Russia using port 8888. I haven’t looked at those with Nmap but they are VPS as well so maybe they are still in play. Suffice to say though, it is interesting data and could lead to more things coming to light if you look into them a little further. If you want to play the home game please feel free. I will be circling back over this stuff in the near future and enlightenment will be posted here when I have it for you all.

Alias and Users To Search:

Gee, look at all those aliases man! I have yet to dig into these and I am sure some are already known but you now too can play the home game! Take a look and see what histories you can find on these accounts/nicks. I am willing to bet we can put together quite the timeline and then use that as data to look at future attacks as well. All those Blacktivist accounts though were the appetizer to what I saw next in the screen shots. Alex gives us a whole thing to work with in the image below and if you start digging on that you can get some good stuff.

 

http://aktivnyye.com/t/20171013-blackmattersus.html

Nolan Hack, a name that I believe others have seen in the press accounts, has a Facebook page, a phone number, and a site blackmattersus.com that is in fact still live but not updated since 2017 it seems. His Facebook is live still as well (Why no take down Facecult?) I looked up his details on there and the blackmatersus site and what I came back with was a cell phone out of california marked as a bad number and a site that has been around since 2015 that was registered anonymously and kept so throughout the time it has been up.

http://aktivnyye.com/t/20171013-blackmattersus.html

I am sure with more digging on the name (Nolan Hack *amusing*) I can put together more of the breadcrumb trail to show the cutout’s actions. Maybe in a post to come, but suffice to say that this data also is legit and tracks with everything we have been told by the IC and the news up to today on the active measures by the IRA.

Passwords:

Amazingly enough in the screen shots given on the jokerbuzz site you can also see where Alex tried to remove at least half the passwords in a couple posts. I immediately knew what the password was because, I mean, come on! The phrase “Greed is good” is a classic line from Wall Street and Gordon Gekko. If you look close enough at these images though you can make out the lower part of the G so you know it is that. Now we have to work backwords on those accounts and get the full data in order to attempt top maybe log into them and see what intel we can gather from them (see below for lower part of the g) It also amusing to see that these guys were sloppy and re-using passwords in various accounts. If we get the accounts right I am betting we could own them all and gather much more insight.

Greedisgood…. You guys amuse me.

Illegals Names and drop sites:

In amongst all the stuff is also an address and name where drops were made in NV used by the IRA and more likely the illegals who were in country. The address comes back to a known bad drop/company in NV that has a history of being used for Ebay scams. The cutout name of Gneeda Harris has zero history on first pass but I will look again and dig a little more. Maybe I can turn up something more on this ID but at the very least we have something more to work with than what the special counsel decided to drop on us.

Maybe the FBI can check this place out and see if they have had DVR’d video surveillance? Maybe this dead drop is still live? Are there still illegals in country that have been told to sleep? I wonder…

Metadata:

Lastly, or near the last thing I will cover here on this is the metadata. I used wget to pull down the jokerbuzz site and in the folder for the page of the auction are the screen caps used. Pulling those down and then running them through the old EXIF scan you can see that these captures were done September 28th and 29th 2016. The time stamp says +3hrs and that as of today they were done 1 year 4 months 28 days ago. So, back in September 2016, this data was in the hands of AlexDA and ostensibly about to be put up on Jokerbuzz. This means that either someone on the INSIDE decided to sell out the operation because they knew they were blown and wanted some cash, OR, someone hacked them and downloaded all this shit making the screen shots in September for the jokerbuzz auction. This in tandem with all the backstopping I just did shows that this data is legit and it has been on sale for at least a year and no one knew or was clued in enough to say anything about it.

Who is AlexDA?

Lastly, who is AlexDA? How did they get this data and what is the motive here other than money? Money mind you that they did not get in over a year as the auction timed out and NO ONE bought it. Now, I have been looking at who this may be and there is a case to be made that this dump came from Shaltai Boltai (humpty dumpty) a group that is now broken up due to arrests but has one last player on the loose. That player is in fact a guy named Alexander Glazastikov who has not been caught and may in fact be AlexDA. I will also point to the fact that if you look at the Jokerbuzz auctions there are a number of them from Shaltai Boltai offering all kinds of interesting data leaked from Russian operations. So, it is my guess that this is the case but just an educated one. I for one would like to have a conversation with AlexDA and see just how much he wants for the dump now that it has not sold in over a year. Maybe we all can crowdsource it?

Summing Up:

Anywho, this is what I found just by looking at the details here in the auction post. Imagine what we could have if we actually had all the documents? Hell, I would love to get my hands on them, prize out all the details and then pass it along to the feds. The data is legit, it has been around for a year online, and we all missed it man!

Hey AlexDA, you wanna just gimme that data for free feel free to reach out to my protonmail acct!

More stuff when I have it kids.

K.

Written by Krypt3ia

2018/02/26 at 22:55

UBER DD0S! MUST BE RUSSIA!

leave a comment »

screenshot-from-2016-09-19-16-58-17

Oh the old go to’s of China and Russia… Hey Schneiman how about maybe it’s Kim Jong Un and the DPRK? Let’s play the attribution game with a little logic and analysis shall we? Let’s say that it is Russia or China, what would the endgame be here if they were testing such a means of attack(s) ? Would this attack scenario be part of the larger kinetic invasion? Would this be a part of a larger scheme to take out specific areas or are we talking about the WHOLE internet? There is a lot to parse here and so little to go on with what Schneiman is implying.

Now, Russia and China are both “Rational Actors” and both have large connectivity and ties to the global internet in more ways than one. One of those ties would be financial. So if an attack took out the core routers, how much of the global traffic would be taken out if these attacks were carried out? How much blowback would there be on these rational actors if this happened? What would be the financial loss net if this happened? Do you see where I am going with this Schneiman? If someone is really testing this type of attack, then it is either a rational actor looking for the endgame or it is an “irrational actor” testing something that they might use because they have nothing to lose themselves were they to deploy it on the larger game board?

Think.

So, who do we all know today who would fit this bill and has the capabilities?

Hmmm?

You have any ideas?

Come now…

How about THIS GUY?

ee8ed0d666012b8e518608e65c88b5fc

That’s right! He’s banned sarcasm AND he has hacked Sony!

So just sayin there Schneiman you may want to think outside the box a little and use some analysis before you just start saying “China” did it… Or Russia for that matter. See Kimmy there has nothing to lose and EVERYTHING to gain if he carried out attacks like these. Just imagine the size of his DONG if he pulled this off and took down the internets! He wouldn’t feel a thing in the DPRK because they have very little internet access to start in the Hermit Kingdom.

Just sayin…

Dr. K.

UPDATE: Well now someone kindly pointed out I left out Iran and made them sad. Yes, Iran would be another semi irrational actor who could be doing this as well. Boo Hoo Iran!

Written by Krypt3ia

2016/09/19 at 21:17