Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Disinformation’ Category

RULEAKS: Russian Media and Disinformation in Ukraine by the DNR-ONLINE

with 3 comments

INTRODUCTION:

Back in December I located a dump of data on the darknet placed there by a hacker collective in Ukraine called RUH8. The dump is rather good sized and all come from Russian backed Ukraine sources. RUH8’s dumped one group in particular that I was interested in because I located a piece of malware in the email spool that, once run through the usual tests, showed to be something not widely seen before. I will cover the malware further down the article and will include IOC’s but once I harvested the email spool itself and began to get things translated things got even more interesting.

Once I mirrored the site I got some help from <REDACTED> and set to work in translation of emails and documents attachments. Most of the bulk of the dump is average emails concerning daily business but a few began to tell a tale of the company that the emails came from and how it was in fact a Russian front organization created for propaganda in Ukraine and used to manipulate the populace in the Donetsk People’s Republic (The Russian separatist area of Ukraine) and those outside it including other countries outside of Ukraine.

Having all of this come to light just after the election win for Trump, and now coming out here in the midst of the Russian intervention and collusion investigations today, I thought this report would be prescient and give a rare insight into how the Russian propaganda machine works, how the intelligence apparatus of Russia works in this respect, and perhaps bring to light a new piece of malware for everyone to see.

THE LEAK:

The leak by RUH8 in the darknet consists od more than a few entities email spools as well as individuals that they have described as assets of Russia. In the case of this post the data comes from the domain dir-online.ru. This is a media org in Ukraine that is Russian backed and as I said before caters to the Donetsk People’s Republic. Within the dump there are many documents covering the day to day but five documents stood out amongst them all (frankly there are more to be analyzed and one needs Russian speakers to translate them all) as being all things shady.

RUH8 is also the group that hacked and dumped “The Grey Cardinal’s” email spool as well. Having gone through that spool I did not find any malware of merit or anything that was new so I moved on in mirroring and checking for goodies. They keep adding content to the site too so I would expect eventually I will locate some more goodies in the future. Keep an eye on the blog for more when I find it. The Grey Cardinal though is an interesting figure and I recommend you all read up on him as well.

THE PROPAGANDA PLAN:

Right, well on to the good stuff! The following documents found in this dump show Russia’s machinations at propaganda in Ukraine, well, at least this small slice of it.

DOC1

From Translator: This talks about “anti-Russian hysteria” in the media and about disinformation and fake news that makes Russia look bad. And also that pro-Russian voices are accused of being agents of the Kremlin. To counter this, this document outlines a project to create a pro-Kremlin media campaign in the Ukraine that includes a budget for hiring journalists and buying equipment like computers and voice recorders, a budget for freelancers and “insiders”, Website hosting, web administrators, editors, advertising, The amounts — which are, for some reason, in US Dollars, are $9,250 for initial set-up expenses, and $38,280 ongoing costs. Those could be monthly costs — the salary of a full-time journalist is listed at $2,000, and that’s likely to be $2,000 a month.  The editor in chief, who’ll be based in Kiev, will get $2,500 a month. Hey, their freelance budget is $6,000 a month! 

DOC2

From Translator: is a little disturbing, since it outlines how the anti-war movement in the Ukraine can be used for pro-Russian purposes. For example, the idea is to create a picture of the leaders in Kremlin as corrupt power-grabbers who are using the war in eastern Ukraine to distract everyone from their own problems. Russia’s invasion of eastern Ukraine is just misformation from Kiev. Sounds totally legit.

Oh, and I figure out why it’s all in US Dollars. Hah, this is funny. Way back when I was based in Russia — something like 20 years ago, when the Soviet Union had just collapsed, inflation was rampant. Stores had to change the prices on all their products several times a day! To deal with it, they all switched to using Dollars or Euros instead, the traitors! To fix the problem, instead of fixing the economy, the Russian government outlawed the use of foreign currencies on prices. So what the stores did was switch to using something called the “arbitrary unit” — which just happened to be worth as much as the dollar, by pure coincidence. Ever since then, this “arbitrary unit” has been the default price. It particularly convenient during inflationary periods, or when dealing with local currencies in different republics. Plus, everyone knows what it means. So, in this document, they use the term “arbitrary unit” and in others, they seem to have just used the dollar symbol instead.

Also, I can confirm that the ongoing expenses are per month — they spelled that out in this budget.

So anyway, this is another juicy document. They’ve put together a budget for running a fake anti-war grassroots organization.

Initial costs are $79,200 for things like computer equipment, recruiting, registering domain names and getting business and media licenses, and website design. It’s interesting that in both this budget and the previous one I looked at, they’re careful to get all the permits and licenses in place. They might be trying to undermine the government of a foreign country, but at least they’ve got all their paperwork in order!
Then the ongoing expenses are $86,000 and include salaries for regular contributors and freelancers, salaries for editorial managers and copyeditors, a financial manager and their deputy, $2,000 for a lawyer, $20,000 for online advertising, and $10,000 for promotion on social media like Facebook and VKontakte (Russia’s LinkedIn).  

They’re expecting 100,000 unique visitors a day on weekdays.

It’s interesting they note that they’ll be playing games with the tax status of their employees — like in the U.S., there’s a difference between paying people as staff (where the employer has to pay a chunk of the taxes) and as freelancers (where the poor schmuck has to pay for everything). Also, in Ukraine, folks living in the disputed territories don’t have to pay taxes. They’re saying that they can save 40% as a result of playing around with this, which they claim is common practice in the Ukraine.

So not only are they undermining a foreign government, but trying to avoid paying taxes while they do it! I don’t know which is worse.

Document docxk7EDEjG06i is a plan for creating a major national media outlet from scratch. It will take $347,640 in startup costs, and about $146,500 a month in ongoing expensies. Total costs, for an eight-month period, are $3.82 million, including advertising costs, and other related expenses. Again, they’re playing around with the taxes. And they’re expecting to get a quarter million visitors a day on weekdays.

This one also has a budget for protection against DDOS attacks. They estimate that this will cost $2,000 a month (including the site hosting itself).

They also plan to sell advertising here, and have an ad sales department, and the editor in chief’s salary will be $10,000 a month plus a share of the ad revenues.

That’s not too shabby… Then they’ve got some projections for costs and revenues after that first eight-month period, which is interesting for those of our readers who plan to launch an online magazine in the Ukraine…

DOC3

From Translator: This is super evil. I’m really impressed! The idea is is to create a pro-European, anti-Russian website — with the underlying message that the Ukraine will be better off without those annoying eastern provinces, and let Russia have them, so that it can enjoy its wonderful European future without them dragging the country down. So, again, they have an editorial budget. $69,900 in setup expenses, $65,000 a month in ongoing expenses, and plans to reach 100,000 readers a day on weekdays.

DOC4

From Translator: This is a plan to create a news site to cover the conflict in the disputed territories, because people are hungry for war news. The idea is to make it seem objective and independent, but slip in a pro-Russian point of view. So they’ll use terms associated with anti-Russian reporting, but slant the coverage to make Ukraine look bad. Yicch. Startup expenses: $97,200, ongoing expenses: $126,500 per month, expected audience: 120,000 unique visitors a day during weekdays.

DOC5

From Translator: This is an analysis of the Ukrainian political system and how a lot of work is done by “shadow” organizations in government. There don’t seem to be any action items here.

DOC6

From translator: This is an overview of the Ukrainian media climate, and on how anti-Russian it is, and blames Western advisers for some of it.

So here is the context from these documents from the translator for you…

From Translator: These emails seem to have been sent to Georgi Bryusov, who heads up Russia’s wresting federation, and are in reference to a meeting with “PB.” I don’t know who “PB” is.

Bryusov then forwarded them on to Surkov.

So, how likely is this?

Well, I spent a some time covering a similar conflict in Georgia, where there was also a “separatist” province, called Abkhazia, and the conflict there was used to put pressure on the Georgian government. Although it was supposed to be a purely local, homegrown movement, Abkhazia — which didn’t even have an airport — somehow had fighter jets and bombed Georgian-controlled areas with them. (I was in one of those areas with a group of UN observers while it was being bombed. Fun! The Georgians shot down one of the planes which … surprise, surprise! … turned out to have a Russian pilot inside.)

Russia also paid the operating costs for the Abhazian press center, where I spent many a happy day. All international phones calls were free! I could call my editors anywhere in the world, and file stories about the brave Abkhazian rebels! They also fed us and provided us a place to sleep, and organized regular trips to the front lines where we could enjoy being shot at by the Georgians. They also showed us how well prisoners of war were treated and corpses of people killed by the Georgias and, allegedly, mutilated. (Though the Red Cross folks I talked to couldn’t confirm that the mutilations were real and not, say, the expected results of getting too close to an explosion.)

Anyway, the bottom line is that I do have personal experience of Russian spending gold to manipulate the media, in case anyone ever had any doubts that they were willing to do it.

As you can see from the commentary above, and you too can read the documents as well, the Russians set up a media company including websites and formulated plans to manipulate people toward the Donetsk People’s Republic and against a Free Ukraine. I am still going through the dump looking for the bills for the domains mentioned as well and will run them through Threatcrowd and other sources to see if they were used at all for malware C2 and propagation. Which brings me to the use of dnr-online as a C2. Interestingly enough the site itself is not a C2 but it does have connectivity to other IP addresses and domains that are.

dnr-online.ru

WHOIS for dnr-online.ru

5.101.152.66

The archology of malware that talks to 5.101.152.66 is rather interesting. There’s a bit of everything bad attached to that one to be sure including that MrSweet address that is ransomeware central. 5.101.152.66 is owned/created by beget.ru which has quite the many few dirty connections as well.

beget.ru WHOIS

beget.ru

Of course beget could be innocent enough but as you can see there is enough of Mos Eisley in there to make one not want to get an account there and set up a site right? I will continue to look into other domains within the networks that dnr-online bought as soon as I can locate the bills for them or domain names and that will be another post I am sure. What all of this tells you though, is that the Russians have always been carrying out these kinds of active measures against people like those in Ukraine as well as what they did to us in the election of 2016. This is not a one time deal and certainly will not be the last one we shall see. In fact, the bots and the domains will continue to be set up by the likes of the SVR and GRU in hopes of manipulating the general populace toward the goals of the Putin regime until it’s demise.

… and likely past it.

THE MALWARE & GROUNDBAIT:

Right! now on to the other interesting bit found in the dump from dnr-online. In looking at the spool I dumped all attachments into a folder and began checking them for malware. All the word docs, excel sheet, power-points etc. The docs all checked out but one zip file had a .scr file in it that turned out to be malware. The file (Центр управления восстановлением ДНР справка-доклад за 13 октября 2015 года.exe) Center for Recovery Management of the DNR certificate-report for October 13, 2015.exe came from an email comiing in from a Russian source to the head of dnr-online. I am unable to source the headers at this time of the email but the question becomes was this malware sent to the DNR by RUH8 or was this malware sent to DNR to send to others in some other campaign. I cannot say either way but, the malware is a new sample of GROUNDBAIT or Prikormka that was detected and reported on by ESET running rampant in Ukraine. Given that ESET claims that this malware was being used against the separatists in Ukraine it stands to reason that the logic here is that the malware was to be used by the propaganda campaign against those it was seeking to manipulate. However, the nagging thing for me is the way this was passed around. The email has no real context in the text and to me it seems to imply that it is a fix for things inside dnr. My other thought is that maybe someone got hold of the GROUNDBAIT raw sample and re-used it by re-packing it and setting it against dnr-online.

An interesting notion…

I contacted ESET and talked a bit with the guy who did the work and he was.. Well.. Not so helpful. So here are the IOC’s for this file for you all to look for.

IOC’s

Filename: Recovery Control Center Help DNR-Report for October 13, 2015
Filetype:.exe
SHA256: f9a96ad58fb946981d196d653ec28fa31d6f946a7e2f6784b317dd9adc557b62 (AV positives: 52/57 scanned on 04/30/2016 07:33:42)
File raw: zip file: zipnh4dZDtMUk.zip

https://www.hybrid-analysis.com/sample/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e?environmentId=100
https://virustotal.com/en/file/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e/analysis/1484661011/

https://virustotal.com/en/file/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e/analysis/1484661011/

Dropped executables
“archive.rar” has type “gzip compressed data from NTFS filesystem (NT)”
“helpldr.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“samlib.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“rbcon.ini” has type “ASCII text with CRLF line terminators”

Writes directory archive.rar (exfil)

C2 connected:185.68.16.35
Connects and downloads second stage: GET http://wallejob.in.ua/wd.php?sn=2120161230091201&rb=7&ob=R_pol_x&bt=0 HTTP/1.1

https://www.threatcrowd.org/ip.php?ip=185.68.16.35
https://www.threatcrowd.org/malware.php?md5=7accb6fed266a2023659f438ad1b3546
domain:      wallejob.in.ua
descr:       Domain registered for customer of Ukraine.com.ua
admin-c:     UKRAINE-UANIC
tech-c:      UKRAINE-UANIC
status:      OK-UNTIL 20170619000000
nserver:     ns114.inhostedns.com
nserver:     ns214.inhostedns.net
nserver:     ns314.inhostedns.org
mnt-by:      UKRAINE-MNT-INUA
mnt-lower:   UKRAINE-MNT-INUA
changed:     hostmaster@ukraine.com.ua 20160907200219
source:      INUA

Found malicious artifacts related to “185.68.16.35” (ASN: , Owner: ): …
URL: http://wood-house.com.ua/ (AV positives: 2/68 scanned on 12/27/2016 16:55:43)
https://www.threatcrowd.org/domain.php?domain=wood-house.com.ua

URL: http://wallejob.in.ua/ (AV positives: 5/68 scanned on 11/17/2016 02:10:28) <—GROUNDBAIT C2
https://www.threatcrowd.org/domain.php?domain=wallejob.in.ua
https://www.hybrid-analysis.com/sample/319e9dc36678c4d774ba0765ec93d3160bd476ab0f98bac1b7e5b92e7994a88a/?environmentId=1

URL: http://zarabatak.ru/ (AV positives: 1/68 scanned on 07/20/2016 10:59:29)
https://www.threatcrowd.org/domain.php?domain=zarabatak.ru

URL: http://psh.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:35:37)
https://www.threatcrowd.org/domain.php?domain=psh.co.ua

URL: http://sem-dev.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:33:23)
https://www.threatcrowd.org/domain.php?domain=sem-dev.co.ua

wood-house.com.ua
domain:           wood-house.com.ua
dom-public:       NO
registrant:       xdkjv649
mnt-by:           ua.intermedia
nserver:          ns311.inhostedns.org
nserver:          ns211.inhostedns.net
nserver:          ns111.inhostedns.com
status:           ok
created:          2014-11-07 13:31:27+02
modified:         2016-11-03 16:37:39+02
expires:          2017-11-07 13:31:27+02
source:           UAEPP

registrar:        ua.intermedia
organization:     SE Rabotnov Volodymyr
organization-loc: ФОП Работнов Володимир Володимирович
url:              http://names.com.ua
city:             Melitopol
country:          UA
source:           UAEPP

contact-id:       xdkjv649
person:           Vladimir V Rabotnov
person-loc:       Работнов Владимир Владимирович
e-mail:           not published
address:          not published
address-loc:      not published
phone:            not published
mnt-by:           ua.intermedia
status:           ok
status:           linked
created:          2013-04-05 15:01:02+03
modified:         2014-01-08 23:42:17+02
source:           UAEPP

 

TYING IT ALL TOGETHER:

So what we have here is the insider’s view of how dnr-online, a propaganda wing within Ukraine’s Donetsk People’s Republic put together a media service(s) and planned to use them as a framework of Russian propaganda in the region. We also have malware that is known to be actual spycraft in the region within it’s mail spool being passed around at least to two sources inside, one of them being the director of the DNR company. Was that malware meant to infect and eventually allow for the dump in the darknet or was the malware being passed along for other uses that we cannot see in this spool dump? In either case this information makes it clear that in Ukraine the Russian propaganda and espionage machines are alive and well and using the net as a force multiplier at the very least.

I will continue looking at the growing dumps by RUH8 and let you all know about any malware and goodies that pop up. It is also of interest to you all that this dump has been around and certain groups have looked at it and just sort of said “Nothing to see here” which is interesting to me. I mean malware that no one has seen really and plans for propaganda in the region are of no interest? I guess maybe these groups just did not want to spent the cycles on looking deeper into the data. I actually did with the help of others as well as checked the forensics on the metadata to insure the stuff was real.

…but that’s just me… I am not a churnalist.

Oh well..

More when I have it.

K.

UPDATE!: One day after this report one IP address involved as a nexus of malware has changed it’s domain name! Coincidence? Hmmmm?

Screenshot from 2017-03-29 06-14-33

Written by Krypt3ia

2017/03/28 at 13:00

Cyber-Berkut Joining The Manafort Fray

with one comment

Cyber-Berkut, a Russian leaning alleged hacker collective in Ukraine decided to weigh in on the whole Manafort debacle with a data dump. The dump unsurprisingly is pro Russian and attempts to paint the US as trying to manipulate things and make it look like Manafort is guilty. Berkut does this by dropping a word doc and a couple of pdf’s that they claim make a case for the State Department trying to discredit Manafort’s efforts in Ukraine on Russia’s behalf. It is rather amusing and ineffectual really but I had to take a closer look because they claimed to have hacked these documents. The documents look legit but there is no source on these as to where they were hacked from if hacked at all as well as no other dump to confirm a hack at all of any merit.

They try to link Leshenko to all of this. Leshenko too was alleged to have been the hacker in the Manafort cell phone hack and extortion. Same actor?

Now berkut doing this is not new really but most of the time they spend their time attacking the Ukrainian factions who reside outside of Donetsk who want to have a free country, not those who want Russian rule. In the past this group has hacked and DDoS’d sites but this one, weak as it is, caught my attention just because Manafort is now in the hot seat over Russian ties to oligarchs who are close to Putin while running the Trump campaign so one tends to want to dig. In looking at Berkut and their history other have claimed that they are part of the Fancy Bear group and even attempts have been made to link them to the cutout Gucci-fer (Gucci, like Gianni and Fur, like… Fur.. Not GOOSIFUR) and DNCLeaks as well. These are somewhat tenuous reports though from what I saw in looking out there at them but it made me want to dig a little more into them.

Berkut showed up in or around July 2014 with sites being created on numerous domains since. Most of theses sites had been registered privately negating personal information but several of them from the time of first creation have one name attached to them; Aleksandr Pachenko. An Aleksandr Panchenko does live in Ukraine and does in fact work in tech who may fit the bill as to the originator of the sites. The email address though used for each of these, alex_panchenko@mail.com, does not really exist and the addresses used are bogus as well so there is not much to go on other than a name but let’s get back to those pesky and numerous domains eh?

CYBER-BERKUT.SU
CYBER-BERKUT.TK
CYBER-BERKUT.RU
CYBER-BERKUT.COM
CYBER-BERKUT.INFO
CYBER-BERKUT.BIZ
CYBER-BERKUT.CENTER
CYBER-BERKUT.ORG
CYBER-BERKUT.US
CYBER-BERKUT.ME
CYBER-BERKUT.CZ
CYBER-BERKUT.IM

It seems that whoever created these sites (including a defuct darknet site) really wanted to get information penetration maxed out. Many of the sites still work and others have been decommissioned and the domains are up for sale. in each case though of creation they all have been created anonymously with domain registrations all over the world except for the six or seven I located with early creation dates going back to 2014. Is this because this Aleksandr created them without figuring what he was doing with them? Or were these created with that name as a means to an end to mislead people? If in fact Berkut is just a anonymous hacker group wanna be aligned with the Russian state then maybe this guy just figured that historical whois costs money and long enough goes by and no one pays attention? If it is the other case where someone is using his name, why be so consistent with it? Does someone hold a grudge or is this a famous person that they are just using the name of? I started looking around to see and here’s what I came up with.

Aleksandr Panchenko 1: Mathematician currently studying in Germany on Phd

Aleksandr Panchenko 2: Chessmaster (deceased)

Aleksandr Panchenko 3: 32 year old  living in Kyiv Ukraine who’s profession is in computers (Oracle Dev, Unix Admin etc)

Aleksandr Panchenko 4: Wedding Photographer in Kyiv Ukraine

There were others but you get the sense that the name Aleksandr Panchenko in the Baltics is kinda like John Lee in China if you catch my drift. Though, that one guy, the one with all the technical experience does kinda stand out right? That is someone who has the technical chops to do some hacking and dumping as well as run sites right? It is all way circumstantial but I for one, if I were the FBI say, might go look this guy up and ask em a few questions. After all, the Berkut has been naughty and attacked us as well as others in the wider internet world.

The Manafort intersection though still interests me. I wonder if they will continue on trying to muddy the waters now that Manny has decided he will testify in front of Congress. As the shoes of the millipede keep dropping I am sure that the RU factions will try to drop chaff on things to confuse everyone. I will keep an eye on the site(s) to see if they dump anything else of interest but for now just take a gander at these files and the results of the searches…

Doc 1

Doc 2

Doc 3

K.

Written by Krypt3ia

2017/03/24 at 18:24

Posted in Disinformation

Scenarios on Outcomes from Russian Information Operations on the US 2016 Election

with 2 comments

1016374513

Assessment Goals:

With all that has been happening with the disinformation and influence operations during this election cycle I thought it prudent to thought experiment out some scenarios if Russia or any other adversary with the means, decided to attack the election cycle in other ways. One might ask right now what benefit would other countries like Russia gain from such operations and you would be right to ask. That is a question for another post but suffice to say that if Russia is indeed tampering with our electoral process like they have in others, then the reasons are geopolitical and very much Putin’s aegis in ordering the SVR and KGB to carry them out.

The goal here is to just lay out the attacks that could happen simply and then give you the likely outcomes. All of these are not as comprehensive as you might find in some think tanks like Wikistrat but you get the idea. All of these attacks are possible, and they do not have to all work completely to have secondary and tertiary effects on the US population and political system. Please read through them and ponder yourselves how would you react if these happened? How would the general populace? Would government be able to carry on? If the election cycle is broken and the systems not trusted, how would one re-set the vote and how long would it take?

Interesting times….

SCENARIO 1: VOTE TAMPERING

The voting machine have been tampered with electronically or code has been inserted. The potential for votes being tabulated incorrectly or data tampered with is possible but not probable in the grander scheme in the US according to sources. However, this does not preclude a way found to insert such code or physical devices in key states. It is also not impossible to have assets in play such as sympathizers or outright KGB assets on the ground helping to tamper with the results. I will not go into the details because this is a scenario to start but it is also not the point. Let’s just assume ways have been found to tamper enough to call the electoral data into question via tampering directly with the systems.

POTENTIAL OUTCOME:

  • Trust in the election system is diminished
  • Recalls are called for by both candidates and the public
  • The electronic systems will lose public trust and a re-assessment of the process will be mandated

SCENARIO 2: VOTER ROLLS TAMPERING

Scenario 2 is based on recent events. The hacking of the rolls databases in key states could be an attempt to manipulate the data and cause secondary issues with that data on the day of the election. The posit is that the adversary has tampered with people’s voting preferences data. If you are a republican they can change that roll to the opposite party and vice versa. Additionally what if a users region or address were changed surreptitiously? To date there are no systems that I am aware of that will email you when a change is made to your voting status and how many people check before they go to the polls? This is a common tactic that has been used in gerrymandering an election area by disallowing voters from voting on the day of the election. To date, the FBI has not been able to determine what the hacking on the voter databases was about and this could be one of the goals.

POTENTIAL OUTCOME:

  • Voters are unable to vote once they get to the polling place.
  • Voters are not allowed to correct these records and are thusly negated from the process
  • Attack key states once again, going for the electoral college and you can change the outcome of an election
  • All of the above once again have the amplification of causing distrust of the system and damage to the election
  • The candidates and the people are left with a recall and with the system being manipulated already how can they trust it?

SCENARIO 3: DISRUPTION OF THE PROCESS ELECTRONICALLY

Russia has attacked the Ukraine elections by inserting malware/code into the election machines in 2014 that effectively bricked them. If such an attack code were placed and propagated within the American voting systems the disruption would cause the election to be halted and emergency measures taken. Perhaps the election might try to carry on with paper ballots but I am unsure the process can be that effectively nimble. If the election systems are down, since they are of varying makes and models of machines, the time to return of service would be long, causing more FUD to the elections process itself.

POTENTIAL OUTCOME:

  • Voters are unable to vote or the process takes so long that they walk away with a more analog process
  • Trust in the electronic system would be degraded or destroyed
  • The election cycle would be likely broken and emergency measures would have to be employed (contingencies)
  • Continuity of government is challenged

CONCLUSIONS:

These three scenarios to date, have not been covered I believe. This post comes to you as the fruit of a discussion I had with @SteveD3 and I believe that in our current atmosphere of information warfare and influence operations carried out by Russia, one has to take these thought experiments out for a drive. All of these scenarios are possible and will have the effects of denial, disruption, and degradation to our election systems and the stability of the nation. It need not render the election completely in the favor of one or the other candidate conclusively to cause faith in the system and its outcome to be questioned. Imagine if you will, as Trump has already been saying repeatedly, that these tactics are used and the general populace believes that the election has been rigged? With or without the hand of the Russians, others could be easily blamed by a candidate like Trump and his followers. The outcomes from this could lead to civil unrest and other worse things if they came to pass with the help of information operations attacks by another nation state.

I suggest you red team these ideas yourselves and see what else you can come up with…

Written by Krypt3ia

2016/10/11 at 14:20

GDD53: A Russian Hosted i2p Site That Claims Trump’s Email System Had Ties To Alfabank (Russia)

with 3 comments

screenshot-from-2016-10-08-15-35-46

Recently a page showed up on WordPress (10/5/2016 to be precise) that has an interesting albeit hard to prove claim. The site is named gdd53 and the claim is that Donald Trump’s email systems were set to have a direct connection to servers in Russia for Alfabank, a Russian bank. Alfabank I caught wind of the site when someone asked me to look at an i2p address that they couldn’t figure out and once I began to read the sites claims I thought this would be an interesting post. While the site makes these claims, I cannot, as I don’t see any concrete examples of data other than the screen shots on the site and the assertions of those who put this up. In looking into the facts all I could come up with was some truths to the IP addresses and machine/domain names but nothing really solid on ASN’s being pointed between the Trump email servers and Alfabank nor Spectrum Health as is also claimed.

i2p Site:

However, there are some interesting twists to the page. First off, the i2p address in the WordPress site is wrong from the start. Once I dug around I found that the real address was gdd.i2p.xyz which is actually a site hosted on a server in Moscow on Marosnet. This site in the i2p space was a bit more spartan, however, it had much more data to offer on the whole contention that Donny had a connection to Russia. There is a claim that a NYT reporter asked about this connection and then server changes were made yadda yadda, but why is this on a Russian server? Why i2p? Why is the site gone now? Why was the address only half there on the WordPress site to start?

So many questions…

screenshot-from-2016-10-05-14-30-44i2p site main body text (part)

screenshot-from-2016-10-05-14-38-53Alleged network map of how the system “would” look

screenshot-from-2016-10-05-14-52-53A traffic map that shows alleged history of peaks and troughs in data between the alleged servers

screenshot-from-2016-10-07-15-16-59Maltego of the servers

screenshot-from-2016-10-07-15-30-38Onionscan of the i2p site

screenshot-from-2016-10-07-15-31-02WHOIS of the i2p site

screenshot-from-2016-10-07-15-31-26Only one ping Mr. Vasiliy

screenshot-from-2016-10-07-15-31-42Nmap of the site while it was up

After poking around and doing some historic WHOIS I came to the conclusion that I cannot prove out their claims because really I would need to have access to the server in order to see the direct routes for mail being put in there at the time this was alleged to be happening. I did however in my searches come across some interesting things concerning the company that hosts Donny’s email systems though. Cendyn is the name of the company and in their business history you can see how maybe a connection can be made to Russia at least. Certainly you can begin to see why ol’ Donny boy would use Cendyne as his go to but no smoking gun here.

Cendyne:

As stated above Cendyn hosts the servers for Donny’s email. I looked into Cendyn and the closest thing I can see without doing a real in depth on them is that they do CRM for hotels and that maybe some of the hotels in Russia may use it? No confirmation there though. Mostly though Donny uses Cedndyn for his hotel businesses as well so I guess since this company also does some hosting he had them do this for him. If anyone wants to ask Cendyn for their records perhaps we can get some clarity on this whole thing. I doubt though if asked will they give up logs/configs on the systems in question. I also have to wonder about this whole allegation that a NYT reporter asked about this.

Say, any of you NYT’s people out there care to respond?

screenshot-from-2016-10-08-15-41-55 screenshot-from-2016-10-08-15-42-26

screenshot-from-2016-10-08-15-42-42

At the end of the day, in a week of old dumps of data by Wikileaks and Guccifer2.0, I am unimpressed with this attempt unless someone can come up with something more concrete. One does wonder though just who might be trying this tac to attempt to cause Donny trouble. It seems a half assed attempt at best or perhaps they were not finished with it yet.. But then why the tip off email to someone who then got in touch with me? Someone I spoke to about this alluded to maybe that was the plan, for me to blog about this from the start..

Ehhhh nah I don’t buy that.

However, what has my attention is that this is just one attempt in a sea of attempts to manhandle the US election process. A series of hacks and leaks by Russia (if you believe the DNI) attempting to cause our election cycle to melt down and perhaps let the tiny handed orange Hitler win the election. Jesus fuck what a scary time. I mean sure, I lived through the 80’s and the bad times with Reagan and the nukes but Jesus Fuck all of this is balls out destroy the system by pushing the idiots to the boiling point!

Meanwhile Donny is not preparing for the next debate because it’s “annoying”

BAAAAHAHAHAHAHAA fucking chucklehead.

Interesting times kids…

K.

PS… Feel free to investigate for yourselves and let me know if you find anything interesting!

UPDATES

After posting this yesterday there have been some revelations. First off, someone in my feed put me in touch with the NYT and a reporter has confirmed to me that what the site says about NYT reaching out and asking about the connections, then the connections going bye bye is in fact true.

Ponder that one kids…

So I decided to use my eagle eye and look for another eepsite to pop up and sho-nuff it did yesterday at some point UPDATED with new and fun data! The “Tea Leaves” person(s) have added logs that they allege came from the name servers for Cendyne.

screenshot-from-2016-10-09-08-13-22

screenshot-from-2016-10-09-08-35-31

screenshot-from-2016-10-09-08-35-14

screenshot-from-2016-10-09-08-34-48

These are the key files in the new dump but the problem I have is that they are just text files. Anyone with the know how could re-create these to look legit enough but yet still be questioned. I see no actual login to the shell and queries being run here so really coulda just done a find/replace on another query on any server you have access to.

I have to say it though, these guys are trying to get the word out but in a strange way. I mean this eepsite is now hosted in Czechoslovakia, staying with the Baltic flavor but why not broadcast this more openly? Why does the WordPress site have the wrong address to start and then the other eepsite disappears after a little poking and prodding?

krypt3ia@krypt3ia:~$ whois 46.36.37.82
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the “-B” flag.

% Information related to ‘46.36.32.0 – 46.36.63.255’

% Abuse contact for ‘46.36.32.0 – 46.36.63.255’ is ‘abuse@gtt-as.cz’

inetnum:        46.36.32.0 – 46.36.63.255
netname:        CZ-GTT-20101025
country:        CZ
org:            ORG-Ga241-RIPE
admin-c:        LM1397-RIPE
tech-c:         LM1397-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MNT-GTT
mnt-lower:      MNT-GTT
mnt-routes:     MNT-GTT
created:        2010-10-25T13:24:34Z
last-modified:  2016-05-19T09:42:08Z
source:         RIPE # Filtered

organisation:   ORG-Ga241-RIPE
org-name:       GTT a.s.
org-type:       LIR
address:        Hornatecka 1772/19
address:        180 00
address:        Praha 8
address:        CZECH REPUBLIC
phone:          +420261001179
fax-no:         +420261001188
admin-c:        LM1397-RIPE
abuse-c:        AR14420-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-GTT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MNT-GTT
created:        2010-10-04T15:25:45Z
last-modified:  2016-05-20T10:04:31Z
source:         RIPE # Filtered

person:         Lukas Mesani
phone:          +420-725-793-147
address:        Czech Republic
nic-hdl:        LM1397-RIPE
mnt-by:         MNT-FRODO
created:        2006-06-07T13:57:53Z
last-modified:  2014-02-11T22:58:02Z
source:         RIPE

% Information related to ‘46.36.32.0/19AS51731’

route:          46.36.32.0/19
descr:          GTT-NET
origin:         AS51731
mnt-by:         MNT-GTT
created:        2010-12-09T01:08:59Z
last-modified:  2010-12-09T01:08:59Z
source:         RIPE

The biggest takeaway is that the NYT confirmed that they asked the question and shit happened. They are still looking into it.

Oh Donny shit’s about to get worse in your dumpster fire world.

K.

 

UPDATE TWO OR THREE….

Dear Tea Leaves,

Answer my questions in email sent Monday. Stop muddying the waters with information that cannot be proven.

Yours,

Dr. K.

screenshot-from-2016-10-11-10-59-16

 

screenshot-from-2016-10-11-10-59-26

Above was emailed to me Sunday. I responded and asked specific questions. This comment is useless static.

Written by Krypt3ia

2016/10/08 at 20:27

Influence Operations: We All Carry Them Out

leave a comment »

Screenshot from 2016-09-06 08-29-26

 

All of the hand wringing and whinge-ing over the possibility that Russia has hacked our completely insecure election systems has my bile up… Well that and it seems I am lactose intolerant and ate whole ice cream last night. Anyway, back to INFLUENCE OPS and their use globally. The article above from the Boston Globe really set me off this weekend. All of these guys in the corridors of power all hand wringing over the possible fact that Russia has been messing with our political process makes me want to fly to Washington and bitch slap people. This type of activity has been going on forever and it is not just Russia pulling these strings even today. If you take a look at the actual history of the world you will see many players playing the same games with or without the benefit of Wikileaks and computers both then and now. This is not new people and for fucks sake wake up and realize that the US playing the “hurt” card in this game is really quite absurd in the grand scheme of things.

Now once you have taken a little trip down history lane with those links I just provided, then I want to ruminate on the whole problem today of the hacks on our democratic systems. See, as a former pentester and now a blue team guy I often ran into places that just did not have a clue about security. Still today there are many places that are very clue free and that also includes our government and those bodies that comprise our election systems. Seriously? Seriously those election systems were not even being monitored? You are shitting me right that the alleged Russian hackers used Acunetix to scan and then just SQLi dumped shit right? …

And no one saw a god damned thing…

It’s hardly INFLUENCE OPS when all you need to do is run a shitty tool and just take what you want with a script kids. So really, stop with the hurt and surprised bullshit Congressman and Senators alike! Put on your big boy and big girl pants and get the fuck over the fact that someone would have the audacity to fuck with our already fucked up election cycle anyway! As to Putin’s comment on the subject recently ‘‘It doesn’t really matter who hacked this data from Mrs. Clinton’s campaign headquarters,’’ I agree, it doesn’t really matter because the fact of the matter here is that her actions alone concerning the BleachBit of her server days after it’s public disclosure should be enough to show us all just what fuckery is afoot without Russian intervention to begin with. What the paradigm change here is is that we now don’t have to send plumbers to Watergate’s to break into file cabinets to get the data. All one needs to do now is fucking Acunetix an IP and then run SQLi map to fuck with a national election and that is just fucking sad.

Screenshot from 2016-09-06 09-17-01Shut up Grandma Nixon!

At the end of the day I for one don’t care who hacked the shit, what I care about is that there is enough evidence to show that even with out information/influence operations that there’s some crooked shit going on. The problem is that this is the default state of our governance and election system so one tends to just become complacent about it. The hack on the election here and now, with the fate of the world in the balance so to speak, with Führer Trump or Grandma Nixon only makes it all the more piquant for the hungry news media but in the end means a choice between two terrible shit sandwiches to those paying attention here.

We are all fucked either way.

Move on.

Dr. K.

Written by Krypt3ia

2016/09/06 at 13:26

DISINFORMATION and PSYOPS: Corporate, Government, and Personal

leave a comment »

Screenshot from 2014-09-24 10:23:47

The Panopticon and Testbed

266883-1460de6223a90aa772ce84c520719027-medium_jpg

Recent stories online have got me to thinking again about the internet and it’s effects on just about everything. Specifically though of late the idea of how the internet is being used in efforts of control and observation of course have been at the forefront of my mind. Since the revelations of “Snowman” came out just about everyone has had to face the facts that I and many others were saying all along, primarily this; “The internet is a massive and accessible form of control” We are living digitally in a panopticon.

For a long time after the revelation that the MAE West was split and a NARUS STA6400 was placed inline, I have been saying that we all were being surveiled in a driftnet approach to intelligence collection. Some considered me a tinfoil hatter but the reality is that the government has long been using the net as a means of intelligence gathering. Now though there has been a paradigm shift from not only using the internet as a means of surveillance but also as a means of control over the populace.

DISINFORMATION OPERATIONS:

Screenshot from 2014-09-24 10:27:46

One way of controlling a populace is with the use of disinformation. What got me thinking about this though today was an article about how the recent online threats made by alleged hackers against Emma Watson turns out to maybe be a marketing stunt. Evidently a site was set up with a countdown to the release of nudes like those recently dropped by hackers in the “Fappening” The twist here is that in the end the site was just a shill to manipulate people by clickbaiting them and then using that traffic to make money possibly off of ads. There may be other designs behind this site and hoax but it sets a precedent that people should be paying attention to.

In the world of APT (Advanced Persistent Threats) and SE (Social Engineering) this is a common tactic. You bait the user with something that they just have to see and get them to click on something to infect themselves whether that be a file or a website or a link to one. This particular incident is in fact a form of disinformation just like the tweets coming out of ISIS/L trying to scare people into actions or behaviours. In this case the behaviour or action served the purposes of the creators to potentially make quite a bit of money from traffic to a particular site. In other instances this can lead to the compromise of corporations, governments, and end users to steal data such as confidential information or credit cards.

On a grander scheme though you can see the geopolitical actions of disinformation at play with every nation that has available internet access. If you look at the twitter streams and pages of Russia you can see manipulation going on in such cases as the last ill fated Malaysian airliner that was shot from the sky. In fact, the Russians have a very active online Trolling campaign that they use to manipulate people that sometimes is poor enough to just see right through. In other instances the information that is being used is not so easily determined to be skewed or false.

Now consider the whole debate over climate change. Take a look at the “Climategate” incident as well as all of the players involved both government and corporate that have had their hands in the manipulation of public opinion. It’s not just governmental and not just criminal but now a common practice of corporations and I would say has been so since the invention of Advertising and the primacy of Madison Avenue. I suggest you all go watch Mad Men again but not just to watch the unspooling of Don Draper’s life but how the advertising business works.

PSYOPS:

Screenshot from 2014-09-24 10:31:21

PSYOPS on the other hand were more military in origin but then the age of Advertising came along again and started using their precepts as well. In the case of PSYOPS online they are often used by military and government but never count the corporate entities out of the game. Recently it came to light that Facebook carried out some manipulation of it’s users in a program that wanted to see just how much they could change their moods. This experiment was also alleged to be affiliated with the military as well due to funding so you can start to see how it’s a win/win for Zuck right? Manipulate your user base to get them to be pliant and click on ads all the while being a potential pawn in a larger war for hearts and minds for the military?

As I mentioned above this type of warfare is being carried out on Twitter by the likes of ISIS/L as well as the USA. In the case of the US they are trying to troll ISIS and their possible base into “Turning Away” from radical jihad. With both of these cases you can see just how ISIS does this a lot better than the US. However, I would then point you to the chickenhawks all on Fox and other news sources decrying that ISIS is a fundamental threat to the US. Unless you pay attention and do the due diligence reading you may miss that the Pentagon says that ISIS is not as much of a threat to the US (via terrorism) than the current Khorasan group that is an AQ offshoot.

It’s easy to lose the truth between all of the shouting here online and off. Just how much is PSYOP to get a groundswell of support from the likes of the populace and their representatives in Congress is anybodies guess. I for one though think that there is a lot of this going on but too many people focus on the governmental and should start thinking about corporations that now feel empowered to carry out these kinds of campaigns because they have the money and the will to do so.

*cough BIG TOBACCO and OIL cough*

Justsayin.

The New (old) Dystopia:

So what it all comes down to for me is that we all need to be more mindful of this kind of manipulation. Remember too that it was the likes of HB Gary that were offering platforms to automatically manipulate people via social media for intelligence gathering as well as other desired effects. The dystopia kids isn’t just from surveillance but also PSYOPS and DISINFORMATION that manipulates people into actions desired by those carrying them out. In the case of the 4chan hating alleged hackers of Emma Watson’s pictures? Well, I am sure there’s a bank account somewhere with more money in it. I also can assume that there are some people having a real laugh about it as well. What’s more, these people also are feeling very smug because they got all of you to click on a link and do the work for them.

Just remember to vet what you read kids and be mindful that the internet is an open forum to manipulate you as well as your traffic.

K.

Written by Krypt3ia

2014/09/24 at 15:54

Posted in Disinformation, PsyOPS

ASSESSMENT: The ZunZuneo “Hummingbird” Social Network and The Cuban Spring

with one comment

Zunzuneo

 

Cuban Intranet and Internet Access:

Cuban internet access is minimal and very controlled the the government. There were as of 2011 about 124K addresses listed to the .cu domain on the internet belonging to Cuba and the average ownership of a computer was low. The same was true over cell phone ownership and use compared to other Caribbean countries. The regime’s control over all of the infrastructure pervades to the intranet being primarily a tool for propaganda and a means of control via surveillance on those who could access it.

Screenshot from 2014-04-06 07:13:01

Internet access though became a feature to the rich in the country or the political (both are the same in reality) and one could buy access to the internet for a hefty price underground. In fact some blogs have shown up over the years on the proper internet after dissidents paid for or obtained access either themselves or by exfiltrating data to outside sympathizers for publication on blogs like WordPress or LiveJournal. Generally, if you wanted a source of outside news you had to either buy access to the internet in the black market, get it on the streets from people with SW radios, or by some other means. This control over the media and technology has perpetuated the control of the Castro regime and allowed his dictatorship to continue.

CUBA CYBER

Cuban Telco:

Cubacel also is a single proprietorship of all cell phone communication (state run) on the island and in fact the ownership of cell phones is one of the lowest as well in the world for penetration of cell phone owners and use. This too means that the Castro government has greater control over what the people can access as well as a single point of surveillance that can be used as a mans of control as well. Of course today this is all being said in the age of the NSA tapping just about everything so please take this with a grain of salt and the knowledge of how that makes you feel about surveillance by any government.

Screenshot from 2014-04-06 07:24:17

I am unsure of the prevalence of cell phones today in Cuba but I am guessing that these statistics are only a little different today due to the controls that the Castro government has in place over it’s populace as well as the poverty rate of the island itself disallowing general ownership and use. While the numbers may have grown so too might the attitude of the government due to a shift in power from Fidel to Raoul Castro. While the former was a bit more hard line the latter seems to be a little more open to allowing the country to loosen it’s grip on the people and allow communications with the US. This may also play a part in easing the minds of the people into thinking they could in fact use cell phones and platforms like ZunZuneo to air grievances.

ZunZuneo:

The ZunZuneo platform went live in 2010 and was a “Cuban Twitter” which was text based on the cellular network on the island. It was in fact a program put in place by USAID (likely a covert program run by CIA in reality) and ran until about 2012 and at it’s end it had about 40 thousand users on the island. The broad idea of the project was to have the Cuban’s generate their own “buzz” around dissident ideas and allow them a means to text one another outside the controls (ostensibly) of the Castro governments eyes and ears. This though likely was not a complete success nor was the program a success from the standpoint of mass demonstrations happening either as far as can be seen by any news sources reporting on this.

ZunZuneo was inserted and run by contractors and purported to be a Cuban creation with cleverly hidden funds and controls from USAID/CIA. The program’s aegis was to insert itself, gain a user base, and then to start to send texts to the users to spur political unrest against Raoul and Fidel Castro’s government. In the end the program came to a sudden halt due to finance issues (alleged) but the reality is it never actually got the directive to insert itself as an influence operation. It operated unbeknownst to the users and in reality was a failure because I think USAID and CIA had hoped they would see dissent traffic on it’s own. It did not and thus perhaps the idea was seen as not feasible and the finances were withdrawn.

YOUTUBE

Influence Operations:

 

Screenshot from 2014-04-06 07:36:44

 

Influence Operations are nothing new and over the years many have been carried out on places like Cuba. With the advent of new technologies like the internet this has become even easier to carry out on average when the populace has easy and free access to the net. in the case of Cuba this is not so much the case like the DPRK. I would say though that Cuba has a much more permeable information border than the DPRK due to it’s geographical location as well as the current regime’s leanings towards opening up a bit more. Though it is still the case that the current government still holds all the keys to information flow as well as a secret police force that controls the populace who get out of line. So it is no paradise of freedom and beauty.

That the US decided to use USAID to carry out this operation is an interesting choice but in their charter is the mandate to “spread democracy” so while some might question the aegis here and say that this was a rogue operation I don’t necessarily agree with that. One must understand that at least USAID has access to many places under its mission in general of providing humanitarian aid so there is purview there. The question though becomes do we want to taint such an org in the future and deny access to critical areas where people really do need help? This will be the fallout from this in general globally and likely will hurt people in the end. As influence operations go though this was a bit of a flop in the short term however. In the long term though perhaps this may lead an internal company or group to create a new ZunZuneo because the 40 thousand people using it really enjoyed it. If someone were to create a new one and if the populace felt that they could in fact speak their minds freely, then maybe they would rise up.

ANALYSIS:

My analysis of the ZunZuneo operation is that it was a novel idea but lacked oversight. An influence operation that inserted itself as a platform for communication in a place where cell phones and internet access is tightly controlled was a gambit that was bound to fail in my opinion. This was in fact the digital equivalent of releasing balloons with propaganda over the DPRK (which is ongoing today) and does not have a penetration level at which a real traction could occur. It is my belief that the CIA/USAID thought that what they had seen with popular uprisings like the Arab Spring could be effected in Cuba internally by it’s populace. What they failed to comprehend was the amount of outside help the Arab Spring had from the likes of Anonymous and the general internet to assist them in carrying it out. In the case of the Arab Spring and other incidents the governments attempted to clamp down on communications that they controlled only to be denied absolute control by key players outside allowing access through POTS and other means.

In the ZunZuneo scenario two things did not happen to cause it’s failure at the end. One was that the populace who had access perhaps did not feel they could speak their minds because everything was on Cubacel to start with. The second was the fact that this program was not a populist movement from the start. You will note that the other “spring” incidents had access to the internet proper not only on twitter but also by other means. These countries already had a populace who had access to external information and were consuming it regularly. The same cannot be said about Cuba in general as I have described it above. The traction just wasn’t there because the people know already that the vehicle that the information operation was to use was already monitored by the government that is oppressing them.

At the end of the day though I have been seeing an easing in the Castro regime since Raoul took over from Fidel and this would I hope, continue as the two of them age into retirement (aka their graves) and the people might have a chance at that point to make a change. Time will tell just how much more Raoul opens things up post this little debacle. However flights in and out of Cuba are more plentiful and there is a flow of monies etc that could be much more beneficial in the long run than any influence operation ever could. My fear though is that the old guard Cubano’s in Florida may have had a hand in this as well and there may be more out there in the wings. It could upend the growth that has happened and that would be a shame.

K.

Written by Krypt3ia

2014/04/06 at 12:22