Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Games’ Category

A Real Cardinal of the Kremlin: An Asset In The Kremlin Exfiltrated and Blown By Russia and MSNBC

leave a comment »

Breathlessly and with great hyperbole the MSNBC report came across my iPad as I sipped my morning coffee. The reporter eagerly reporting on their “scoop” of locating, potentially, the Russian source inside the Kremlin’s whereabouts in Washington DC. As I sat agog at their reporting, a mix of “OMG OMG OMG LOOK AT US!” and “Sorry, I can’t report the details because two guys in an SUV came at us after we rang a doorbell!” as the bile rose inside of me. I then took to Twitter and began to get information that surprised me and made it all the worse. It turns out that MSNBC buried the real lede in their reporting. It seems their “tip” on the possible asset that was exfiltrated in 2017 was in fact from the Russian government by proxy of a news site called Kommersant.ru.

The Kommersant article, posted yesterday before MSNBC made their rush to the address of the alleged Russian asset in DC, gives the name plainly, which I will not do here, and links to earlier stories of the missing official who went on vacation in 2017 and “disappeared without a trace”… Of course the Russians would have readily known who the asset was after the EXFIL, but, to post it online was an interesting move. Originally “The Storm”, another Russian news outlet posted in October 2017 of the missing Russian official but no one in the media took note it seems. The updated story in Kommersant though was prompted by the stories in the media about how Trump could not be trusted with intel much like (think Lavrov and Kislyak in the Oval) where Trump released code word intel to them and blew an Israeli operation. As the stories swirled from CNN quoting that the exfil had happened because Trump, the Russians I am sure began to ponder how they could stick a finger in the eye of the US and the CIA.

What they did was just remind everyone that the name of the asset in their opinion was <REDACTED> and that his new address was <REDACTED> in Virginia USA. They actually gave the address in the article. MSNBC got the tip somehow (likely monitoring sites like Kommersant) and immediately dispatched a crew to go to the address and knock on the door Geraldo style and get the scoopy scoop and win the news day! Pay no mind to the potential intelligence disaster it may cause to someone who did a great service to this country.

…But hey HEADLINES! CLICKS! ADS! BYLINES!

Anyway, the asset has been moved I am sure but a lot still needs to be discussed here about this whole thing. I mean, why would they re-settle this guy and his family under his own name? Why would they allow them to purchase a rather large house under their names? I mean, once upon a time when you were exfiltrated from Russia (SOV Bloc) you got a new name and you got some money and lived quietly as you are consistently debriefed. Has the CIA lost it’s collective mind? Is this even the guy? What the hell is going on here? With that question upon my mind I will give this a bit of thought.

Is this the asset in question? … Given the details of their disappearance in 2017, and his role in the Kremlin, I am going to lean toward yes.

Why was this guy allowed to buy property and live in the open under his real name? … I honestly have a few theories:

  • The CIA wanted the Kremlin to know as a poke in the eye and a challenge. If this guy gets a polonium enema in the US, shit is gonna go plaid.
  • Also, the assets new life in a free country with considerable assets would perhaps entice others.
  • His EXFIL was pretty out in the open once he went RED RABBIT, so, perhaps there just was no need for an elaborate re-settlement and name change.
  • Lastly, perhaps there is some incompetence going on? Who knows, maybe the asset demanded they live free and under their own name?

What is going to happen now? … Well, if this asset has been moved as I suspect, then they likely will get that name change because they are spectacularly blown because of Kommersant and now MSNBC and all the other services. I mean, I did not name the guy here but Kommersant did and with just the name I tracked them down to the house through sales records online!

Jeez!

All in all, this whole affair just makes me scratch my head. I mean, we are really through the looking glass in 2019 with everything that has been going on since 2016 but wow. This whole thing at least moved me to post, something I have been uninterested in doing for a long while now, so there is that. I will watch the game unfold and see what plays out. I gotta say though, recent events regarding losses for the CIA in China and Iran have me worried that we have lost some of our skill sets in HUMINT. I would love to find out that this whole debacle was really a play at something larger by the CIA, but, I fear it wasn’t.

Interesting times…

K.

Written by Krypt3ia

2019/09/10 at 12:58

About That Manafort Leak…

with 3 comments

Paul Manafort, campaign worker for Donald Trump, president and chief executive of Trump Organization Inc. and 2016 Republican presidential candidate, not pictured, speaks with the press during an election night event in New York, U.S., on Tuesday, April 19, 2016. Trump, the billionaire real-estate mogul, got a major boost in his quest to secure the Republican nomination with a majority of delegates but could not eliminate the possibility of a contested convention. Photographer: Victor J. Blue/Bloomberg via Getty Images

Paul Manafort, campaign worker for Donald Trump, president and chief executive of Trump Organization Inc. and 2016 Republican presidential candidate, not pictured, speaks with the press during an election night event in New York, U.S., on Tuesday, April 19, 2016. Trump, the billionaire real-estate mogul, got a major boost in his quest to secure the Republican nomination with a majority of delegates but could not eliminate the possibility of a contested convention. Photographer: Victor J. Blue/Bloomberg via Getty Images

So yeah, I posted a story last week about how a dump of data in the darknet seemed to be in fact Paul Manaforts daughter’s iPhone. It seems that this story was just too good to lose for Politico and the unscrupulous reporter there lifted not only my story but also my images! (yes the hashes match, he just saved them local and re-named themPolitico has done nothing to remedy this and they are churnalists of the worst kind, but they did at least call some people in the Manafort court to see if they would admit to the hack and they did. I could have told them that the hack was real because there was more that I did not post on the blog last time. The fact of the matter is that in the dump there was also a SQL dbase that I got hold of, and in that dump there’s one little interesting factoid. Paul Manafort has an email address that seems to be on a personal domain that isn’t really known about. In the dump connecting with his daughter is a personal iPhone for Paul and in that connection via text is his email address (pmanafort@dmpint.com) when you look up this domain you can see it is one of a few that belong to the Manafort family but registered by another party; one Todd Hankins. Now it seems to me that in an era of “BUT HER EMAILS” this factoid might be of interest to say, I dunno, the IC that he has this and his email is being sent to and from this cutout domain.

screenshot-from-2017-02-27-09-14-29

screenshot-from-2017-02-27-09-13-52

Now the domain has never had a site on it and as far as I can see with the limited looking I have done this domain has been kept kinda on the downlow as the Manafort name is not on it like the others. The ONLY thing connecting it to Paul now is the email address and the fact that Todd there set it up for him in 2010. I personally find that interesting… You? I have passed this little tidbit to the right people but now I am going to go wide with it… One wonders as to what emails might lay within that pesky little email system at dmpint.com

screenshot-from-2017-02-27-09-22-44

screenshot-from-2017-02-27-09-22-04

Let the FISA WARRANTS FLY!

K.

PS!!!

Google that domain and see what you get… It comes up all Ukraine travel sites… What does Google know hmmmmm?

Written by Krypt3ia

2017/02/27 at 14:23

Posted in Games, OSINT, Russia, Tradecraft

The DNC Hack: SVR? KGB? GRU? Lone Hacker?

with 2 comments

191

Attribution Games:

I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!

“I summon the Russian GRU!”

“I summon the LONE ACTOR!”

“I summon the KGB!”

*slaps down cards on table* TAKE THAT!

The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!

“Whoa”

So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.

So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”

Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?

Metadata and Cyrillic:

Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович)  Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!

Dr._Strangelove

NAILED IT!

You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…

  • Much of the data was stamped out in saving from format to format
  • Emails of users though were still embedded in the excel files
  • The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
  • The image files have no metadata.. none.. niente clean.
  • Grizzli777 is just someone who pirates

Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.

*squint.. takes drag of cigarette*

So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!

All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!

YAAAAY!

Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!

It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?

DATA:

Screenshot from 2016-06-17 13:35:04

Screenshot from 2016-06-17 13:33:43

Screenshot from 2016-06-17 13:31:49

Screenshot from 2016-06-17 12:51:57

Screenshot from 2016-06-17 12:46:55

Screenshot from 2016-06-17 12:46:44

Screenshot from 2016-06-17 12:46:33

Screenshot from 2016-06-17 12:46:14

Screenshot from 2016-06-17 12:46:03

Screenshot from 2016-06-17 12:45:43

Screenshot from 2016-06-17 12:44:48

Screenshot from 2016-06-17 09:51:34

Motivation Analysis and Hypothesis

RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…

Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…

  • Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
  • Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
    • If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
  • Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
  • Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!

So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????

Why Pooty of course!

Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin?  *sorry had to use that one*  Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.

That’s my theory and I am sticking with it… For all the fucks that it is worth.

I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.

See you all in INFOSEC attribution Hell.

K.

 

Written by Krypt3ia

2016/06/17 at 18:34

Paddy O’Neil can sleep at night. In fact he probably enjoys the irony. She’s not Irish; she’s English.

leave a comment »

Written by Krypt3ia

2012/03/20 at 15:41

Posted in Crypto, Games