Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘.gov’ Category

Defeating Disinformation

leave a comment »

This tweet came up in my feed this morning and it got me thinking. There has been a lot of talk about how disrupting or denying the sources of disinformation could put a stop to it altogether. I for one have not been a proponent of strictly technical solutions to this because they never will work fully and while you can play whack a mole with fake news or disinfo operations, it will always propagate with those who have the cognitive bias and dissonance. What I mean by that is that the mind virus that is fake news or disinformation is just that, those who are disposed to it will propagate it if not create it out of whole cloth for their own reasons be they financial, cultural, or psychological.

While it has been shown that if you give those predisposed to these narratives, the truth once or twice they do not come to the conclusion that they are in fact falsehoods. In fact, the studies thus far have shown that you must repeatedly bombard those individuals with the truth (truth bombs heh) until they actually accept the truth. So, unless you can force these individuals to accept “truth” via other channels than the disinformation feeds, you will have little luck in stopping the disinformation from doing it’s harm and being magnified by those predisposed to their belief in them.

So, what I am saying here is that once again, the technology will not be able to stop the false narratives. The technologies today short of a truly Turing compliant AI that is plugged into the internet as a whole, will not be stopping the disinformation never mind those campaigns of falsehoods by the likes of an Alex Jones because they will be passing them in email, news sites, comments in sites, texts, tweets, over the phone, over the air, …everywhere possible. The reliance or thought of reliance on technologies alone to save us from all this kind of warfare is patently naive. The psychology of why disinformation works and how these things propagate WITH the technology is where we need to focus. More so we need to focus on the psychological aspects in relation to how we might leverage technologies to get the truth into the right minds with repeated viewings is key. Alas though, I fear that this is not what many in the technology space are considering and are relying on algorithms instead of focusing on the animal behind the keyboard. Until we do this I am afraid we are quite doomed to failure.

I also began to parse this tweet out a bit as well on the hacking versus the disinformation campaign. It is quite clear that the hacking and the dumps of information were at some level laced with disinformation but not as a whole was the hack a part of the disinformation campaigns by the GRU. While “not getting hacked” is a good start, the real problems came from other sources and in fact when I looked at the DC leaks stuff and the claims I did come up with some gold that the data did not come from the Clinton Foundation, but instead was DCCC and DNC only to the contrary of what Guccifer 2.0 wanted people to believe.

So yeah, the information being hacked surely added to the mix of disinformation out there but it was not a main contributor to it. Overall, the problems of disinformation rely much more on the psychology of the tribes at play now and the cognitive issues we have within them than the hacking ever did. It turned out at least in the Clinton campaign there was no real “there” there to latch on and make her look even worse with an expose of wrongdoings. The most we got was that they were treating Bernie poorly but really, that was it.

Where were the Benghazi revelations?

Where where the revelations that she and others were running a pedophile ring out of a pizza parlor in DC?

Where was the absolute proof that Clinton had ordered the murders of a number of US citizens and in fact was funneling monies around to places like Panama?

Oh yeah, there were none and this is the reason why the others out there including the GRU and the SVR were creating those narratives on Twitter, Reddit, and elsewhere for those predisposed to those mental virus were living and ready to echo the message to others. When the day comes that we see a dump of information that has been tampered with well enough to detect forensically, then we can parse that out a bit and prove out that a hacked dbase was the cause of disinformation like some of the DC leaks stuff tried to be. Other than that, the two roads do not meet in my book.

The technology is the amplifier but the humans behind the keyboard are the real engines here.

K.

Written by Krypt3ia

2018/07/16 at 16:58

Posted in .gov, .mil, 2016, 2018

Burning Sources

leave a comment »

Of late I have been working on my keynote for Circle City Con and as such been preoccupied with espionage in the digital age. As it turns out the keynote got me thinking about classical espionage quite a bit so the actual burning of an asset (in this case a CI Cooperating Informant working for the FBI) is unfortunately timely. The use of HUMINT in this case to collect information is a key part of the investigation and having this kind of asset burned by demands of the President is extraordinary. Of course others have been burned like Valery Plame, but she was an actual NOC agent! This though sets a bad precedent for the intelligence community and bodes ill for those other sources out there who might want to help us in future.

This is what happens when investigations and agencies are attacked for political gains by those actors who are adept at obfuscations. Of late all of the goings on surrounding the clear attack by Russia against this country and our electoral system have become so politically charged and muddled by active measures on the part of Republican supporters of Trump and his other minions has made me just turn off the news and walk away. It is my hope that this does not escalate further into a full blown constitutional crisis but it is kinda looking that way right now.

As we move forward though, I want you all to realize that these events concerning this source are extraordinary and not the norm for certain. It is only the ability of the president with a will to do so, to break every norm and attempt to subvert the very things that make America “Great” that we have an asset like this burned and likely feeling the pressure of attacks by Trump Nationalists and even perhaps now on the radar of the Russians. Any other circumstance where someone might be a source though on the FBI side may be a bit more safe than this particular instance.

However…

IF you are an asset for the US and you are currently working against any other countries interest, and perhaps particularly Russia, you may be in more danger as it seems that if Trump and his minions have their way, they could leverage this attack against others in thrall to their financial and kompromat masters. It may be time to get your bugout bags and your exfil plans ready…

Just sayin.

K.

Written by Krypt3ia

2018/05/23 at 20:11

Cambridge Analytica And Psychographics Versus Facebook Algorithms and Targeting

with 3 comments

Last week I came across some tasty data out on the net concerning the clients that Cambridge Analytica had been serving in the last election cycle other than Trump. Within that data dump I also came across some python scripts for harvesting data on Twitter as well from a developer at CA which ties them also to mining and using potentially, Twitter as well as Facebook to create pscyhographic profiles and to target those people out there who had the same sentiments and desires around electing Trump as president. What I found in looking at the data and doing some research has brought me to the notion that Analytica’s part in this whole thing was just one sliver of a larger whole. That together with the Russian active measures campaigns, disinformation, propaganda, and echo chamber incitement thereof, Analytica helped target some of the people that Russia needed to target as well as the Trump campaign itself.

In fact, after really digging in here, it has become clear to me that Facebook may have a larger part of the problem with their algorithms that commoditize their user base and allowed for weaponizing of that data to be used in the propaganda campaigns by the Trump campaign and the GRU’s operations. Cambridge Analytica is not the big bad here in essence but a part of a larger whole that the news media seems to be unable to grok because it is not as sexy as having a new Bond style villain to get clicks on. No, the larger and more subtle story here is that the people were manipulated by the Mercer’s, the Bannon’s and the GRU using the tools given to them by Facebook and Facebook as well as the media, to synergize the propaganda with the help of all that information the people have chosen (wittingly or otherwise) to give up by using these platforms.

While the truth keeps coming out in drips and drabs on Cambridge Analytica, one has to also take note of the Channel 4 undercover video’s as well where CA’s Alexander Nix offers up age old kompromat style operations to their would be client. This all likely is second nature to the SCL group, the company that is tied to the MOD and DOD as offering tools for propaganda and manipulation in the past and of which CA is a spin-off company. Once you understand this, then you can see how Nix might just be offering things off of the menu from SCL and happily so to make a sale here.

What Nix is offering though might in fact be the modus operandi for the “whole package” in the case of political manipulation. Think about it, you target the people you want to vote, you then set up the opponent with kompromat and then you leak that judiciously. It would destroy the candidate and prop up their opponent pretty well don’t you think? Overall, what you have to realize here is that Cambridge Analytica was selling itself not just as an analytics company with a side of advertising for political campaigns, but instead a one stop shop in black propaganda and dirty tricks using analytics and psychology to target the voter. Of course now you have to ask yourselves just how effective CA’s pscyhographics and operations really were, how they may have learned from past experience, and what may have been their pivot from just analytics and psychology to propaganda and dirty tricks to pay the bills. First though, let’s look at the data I found and run through some of the premises that CA puts forth to see where fact meets Phrenology.

The Data:

I was Google dorking around the other day and came across someone’s git repo that had an Excel sheet in it concerning Cambridge Analytica’s clients in 2016. When I opened this up I was amazed to see just who else was using CA’s psychometrics for their campaigns other than Trump. What I saw was that Ben Carson, John Bolton, Ted Cruz, and a host of other orgs had been using CA’s offerings as far back as 2014, in the case of Bolton’s super PAC. Carson and Cruz both had limited dalliances with CA but Trump spent considerably on Analytica in 2016. In fact you can see from the sheet, the campaign slogans or catch phrases that they tried too, using them as code names for projects.

All of this data was obtained through the fec.gov website where they have to give up the information as part of the law. So no secrets here really but interesting information to be gleaned on who was using CA’s services and just how long this has been going on. In the case of John Bolton, you can see that he was attempting to use CA to further the candidacy of someone he was supporting back in 2014. In total, the sum for all this work shown here is over four million dollars between all the campaigns and entities.

Notice though, no charges for Ukrainian hookers and blow for kompromat though. *snerk*

Of note as well are the ancillary campaign strategies or slogans that they had for Trump before they came up with the MAGA (Make America Great Again) claptrap, a slogan though that for those of a certain mind, worked wonders for Trump and his particular brand of populism no? You had “Make America Number 1” which is just not as catchy as “Make America GREAT Again” which they refined from the number one phrase. Of course the whole mode here is to say that America is no longer ‘great’ and it can only be made ‘great’ again by Trump. This is a clever little psychological trick in that it pastes everyone else as part of the pool of people that made America lose it’s greatness and is a phrase that those of a mind, can latch onto as a dog whistle.

While I was dorking, I also located a bunch of FARA statements that SCL-Social filled out and gee, who was funneling money to CA to work as a foreign agent? Why Dubai and the UAE of course! You can see the FARA statements made by Andreae and Associates (a political intelligence and risk group in the US) that is working for SCL-Social, a sub division of SCL-Group, and parent to Cambridge Analytica. What a tangled web we weave when we practice to deceive… Or at last manipulate.

Anyway, there is a lot out there and you can play the home game here.

As a side note, if you look at the original filings on the FEC site you can see more information on the who and the what and the how. In one case I have looked at so far, the LLC that was created to spend the money on “Make America Number 1” is called “GLITTERING STEEL” which to me sounds like one of those derpy names given to APT actors or bad spy novels. Well, once you Google that name though you can see even more about this, that it was a Bannon run entity and that there is at least one law suit pending over their illegal actions in California.

This shit is deep folks… Like “deep state” deep. Anyway, I will continue Googling but you can too! Let me know if you find good stuff out there that maybe I can further write about.

Python Scripts:

While I was Googling up that spreadsheet, I also came across some .py scripts that were on a github for a Michael Phillips, who works for Cambridge Analytica. His creations were for harvesting data from Twitter and pulled geolocation data in one and sentiments in the other. In his geolocation script he was looking to pull addresses with accurate lat and long too! Now, you and I know that Twitter allows this kind of thing and others like me have used different tools to pull OSINT on characters like da’eshbags and the like over the years. It is of note though, that Twitter has to my knowledge, not been mentioned that much with regard to targeting and psychometrics mining by CA in the press. So, this is interesting and makes me wonder if perhaps CA has had more inside access to other features of Twitter as well?

Twitter is notoriously not that helpful to the government and others so I have to wonder if access was given was it bought? What kind of data would Twitter have sold? What do we really know here? Do we know anything about this? Anyone have any insight here for me? I for one would like to know if Twitter was working with CA and to what extent if any they where. This becomes really important just like access to Facebook data because Twitter was the second tool du jour that the GRU used to sow all the chaos and push the propaganda in the 2016 election cycle as well as in other areas such as Brexit and other attacks on Ukraine and the like.

But I digress… Let’s look at the real value of Cambridge Analytica’s potential versus the tools afforded by the likes of Twitter and Facebook themselves.

Psychographics Versus Custom Audiences and Lookalike Audiences:

A lot of the news cycle has been taken up with Analytica of late but what are they offering and just how effective could psyhcometric profiles be of users on Facebook? CA claims to have the ability to target people by the OCEAN profiling system of analytics. This is how they managed to make an application that then stole others data in the form of a personality test that they leveraged on Facebook. While this testing can lead to some valuable information, it is not as accurate or the right tool in my book to micro target a voter as opposed to someone buying something that they like or want. While this was the bread and butter of CA’s claims the reality is that this tool is not enough to hone in on people that well to be a real factor in electing Donald Trump and you all have to realize this.

What’s more, if you look at the toolbox of Facebook alone, they have some algorithms and applications alone that could have been a major factor in Trumps win. The primary two tools are ‘Custom Audiences‘ and ‘Lookalike Audiences‘ which Facebook uses to target people for advertising and the like. Both of these tools take outside data, in the case of this last election cycle that data would be voter rolls. Uploading those rolls (which you can access) you then are targeting your audience to push feeds to. In the case of Trump, then you are using the Republican rolls and targeting en mas your message to them. Now, consider this, those same rolls were used by the GRU to push content to those feeds as well. That’s right, ad buys by the GRU, remember all the talk about that in the news?

Ok so where does that leave us? Well, with CA and Facebook, you could be targeting those people who are outside the rolls and magnifying your efforts with the likes and the comments by stealing the 50 million people’s data as well. This basically becomes an amplification attack kinda like a DoS if you think about it. In the scheme of things it seems CA was just another cog but when you look at it all as a whole you have to ask yourselves these questions;

1) Was CA able to target more people outside the norm?

2) Was CA then able to take ancillary data (other people’s) that also had the same “sentiments” as their core psychometric profile because they were friends of those core friendly users?

3) Was this data then given to the Russians either by insiders at CA or by the Trump campaign itself to help target users and spread the propaganda and active measures to greater effect?

These are the questions the Senate and House should be asking and I am sure that these are Questions the FBI and the Mueller probe are asking. Also, one should consider this more macro targeting than micro but meh, either way it seems that Facebook has a larger share of the blame that they certainly don’t want to take. This is especially true now that they have lost so much value on the stock market as well as losing clients like Space-X and Tesla recently in a backlash that continues.

 

Was, and Is Cambridge Analytica an Arm of SCL’s Propaganda and Psyops Operations?:

This leaves us at the point where Alexander Nix and his compatriot are seen on hidden video offering kompromat style operations as well as targeted psychographics. If you start looking into SCL, it’s mother org, you can see that they have a history of this kind of black propaganda offerings for the military and governments of the world. It would not be a stretch to see CA using SCL to do some dirty work if not doing it in house so to speak. So when Nix was caught on camera and later made some excuses that he was just “going with what the client wanted” I feel that this is closer to what he wanted to offer because it made money as opposed to the straight analytics package CA offers. Perhaps even more so, Nix knew that analytics was just not enough and that psychographics should really only be used in micro targeted ads for shoes.

If the targeting works, and psychometrics/psychographics do up to a point, then they can be a part of a larger package of tools to target a macro audience with micro tools. I think we have seen, and I have pointed out above that this is likely to work better as a larger package of many tools and operations to influence an audience but it is not the make all be all. I think they discovered that and went back to the old ways to make money with SCL’s cache and tools that have been in use for many years with great effect. Where the rubber meets the road in the 2016 election is that the Russians then possibly leveraged SCL and CA with or without their knowledge to even greater effect and that is what led us to where we are today.

How that actually happened is something for the investigators at the special counsel to tell us later on.

SCL’s Domains:

While I am on the subject of SCL and looking at future possibilities, I looked up everything that SCL owns domain wise. There are many domains that they own and we should keep an eye out for them in future being spun up. In fact, I kind of wonder if they have other domains hidden under other LLC’s etc that we have not seen that may have been part and party to some of the 2016 psyops and propaganda operations on behalf of the Trump campaign. Looking at these domains they have many plans and we should all be paying attention.

Domain Name Create Date Registrar
behaviouralanalytics.io 2016-09-17 GANDI SAS
behaviouralanalytics.org 2016-08-13 GANDI SAS
ca-affiliates.com 2017-08-23 GANDI SAS
ca-commercial.com 2017-04-07 GANDI SAS
ca-commercial.org 2015-05-06 GODADDY.COM, LLC
ca-commerical.com 2017-01-27 GANDI SAS
ca-commerical.net 2017-01-27 GANDI
ca-commerical.org 2017-01-27 GANDI
ca-commerical.us 2017-01-27 GANDI
ca-connect.net 2015-05-22 GANDI
ca-political.net 2017-01-27 GANDI SAS
ca-political.org 2015-05-06 GANDI SAS
ca-research.org 2015-05-06 GODADDY.COM, LLC
ca-worldwide.com 2017-08-25 GANDI SAS
cacommerical.com 2017-01-27 GANDI
cacommerical.org 2017-01-27 GANDI
caconnect.net 2015-05-22 GANDI SAS
caconnect.org 2015-05-22 Gandi SAS
cambridgeanalytica.co.uk 2015-07-08 GANDI [TAG = GANDI]
cambridgeanalytica.net 2015-04-21 GANDI SAS
cambridgeanalytica.org 2014-04-01 Gandi SAS
cambridgeanalytica.org.uk 2015-07-08 GANDI [TAG = GANDI]
cambridgeanalytica.tv 2015-10-22
cambridgeanalytica.uk 2015-07-08 GANDI [TAG = GANDI]
cambridgeanalyticaresearch.com 2014-12-31 GODADDY.COM, LLC
capolitical.co.uk 2015-07-08 GANDI [TAG = GANDI]
capolitical.net 2017-01-27 GANDI SAS
capolitical.org 2017-01-27 GANDI
capolitical.org.uk 2015-07-08 GANDI [TAG = GANDI]
capolitical.party 2017-01-27 GANDI SAS
capolitical.tech 2017-01-27
capolitical.uk 2015-07-08 GANDI [TAG = GANDI]
capolitical.us 2017-01-27 GANDI SAS
carchargeruk.co.uk 2017-02-16
daymate.com 2001-05-31 TIERRANET INC. DBA DOMAINDISCOVER
dclisten.com 2015-03-09 GANDI SAS
floridaediblesandextracts.com 2017-07-22 GODADDY.COM, LLC
free2teach.net 2009-05-22 TUCOWS, INC
ripon.global 2015-01-21 GANDI SAS
ripon.us 2014-08-13 GANDI SAS
riponplatform.com 2014-04-07 GANDI SAS
scl-connect.com 2014-12-11 GANDI SAS
scl.cc 2004-09-16 SCHLUND.DE
scl.group 2016-06-15 GANDI SAS
sclbehavioural.com 2010-05-27 GANDI
sclcommercial.co.uk 2015-06-21 GANDI [TAG = GANDI]
sclcommercial.com 2010-03-15 GANDI SAS
sclcommercial.uk 2015-06-21
sclconnect.cc 2014-12-11 GO DADDY SOFTWARE INC
sclcorporate.cc 2014-01-02 GO DADDY SOFTWARE INC

 

Domain Name Create Date Registrar
sclcorporate.com 2014-01-02 GANDI
scldata.co.uk 2015-06-20 GANDI [TAG = GANDI]
scldata.org 2014-04-07 GANDI SAS
scldata.org.uk 2015-06-20 GANDI [TAG = GANDI]
scldata.uk 2015-06-20 GANDI [TAG = GANDI]
scldefence.cc 2014-01-02 GO DADDY SOFTWARE INC
scldefence.com 2010-03-15 GANDI SAS
scldefense.com 2010-03-15 GANDI SAS
scldigital.com 2015-01-16 GO DADDY SOFTWARE INC
sclelections.cc 2008-08-04 GO DADDY SOFTWARE INC
sclelections.co.uk 2015-06-21 GANDI [TAG = GANDI]
sclelections.com 2008-08-04 GANDI SAS
sclelections.net 2015-07-07 GANDI SAS
sclelections.org 2008-08-04 GANDI SAS
sclelections.org.uk 2015-07-07 GANDI [TAG = GANDI]
sclelections.uk 2015-06-21
sclgroup.cc 2013-08-29 GO DADDY SOFTWARE INC
sclgroup.net 2016-05-02 GANDI
sclgroup.org 2016-05-04 GANDI SAS
sclgroup.org.uk 2015-06-21 GANDI [TAG = GANDI]
sclsocial.cc 2014-01-02 GO DADDY SOFTWARE INC
sclsocial.com 2010-03-15 GANDI SAS
sclsocial.net 2015-07-07 GANDI SAS
sclsocial.org.uk 2015-07-07 GANDI [TAG = GANDI]
sclstrategy.com 2012-11-14 GANDI
scluk.cc 2014-01-02 GO DADDY SOFTWARE INC
sclworldwide.cc 2014-01-02 GO DADDY SOFTWARE INC
solventlessextracts.net 2017-07-22 GODADDY.COM, LLC
thesclgroup.com 2016-04-25 GODADDY.COM, LLC
thetealgroup.org 2015-09-21 GODADDY.COM, LLC

 

Conclusions:

So here are my conclusions looking at all of this stuff. First off, CA is not the big bad here but Facebook and maybe Twitter are. Ask yourselves and ask them just how much data they sold or gave access to other entities in the 2016 election cycle. Who were they? Were they connected to CA? SCL? GRU? Also be asking yourselves just how much do you want Facebook to have of your privacy? In posts recently I have seen people saying that phone calls and other private data were in the data dumps they downloaded. How did that data all get into their hands? Well, you let it happen! If you have Facebook on your phone, well, then they have everything and unless you read the fine print, you are boned.

Secondly, I for one believe that Facebook and Twitter and other social media entities sold data to GRU cutouts and they should be taking more responsibility henceforth. I know that Facebook has made efforts to control ad buys and such but really, they hold the keys and unless they vet every application and client, well, it could happen easily again. Zuck needs to grow up and stop the fuckery. His platform is now a weapon and our privacy is the ammunition. I also think that everyone should consider leaving the platform because they hold too much of your data that can be abused. Until such a time as they take this seriously I would not invest the time on them.

Thirdly, I have to wonder just how much information was being passed between CA and Trump/Bannon/etc that made it to the GRU. There are more than a few Russians in the CA constellation that could have been leveraged by the Russians but until some thorough investigation is done it is hard to tell what happened here and at what scale. I do find it interesting though that at least the Facebook data and tools were leveraged and wonder how much was direct buy from GRU cutouts as opposed to passed on perhaps by assets within the Trump campaign itself.

Time will tell but in the meantime here is some data for you all to Mueller.

K.

Written by Krypt3ia

2018/03/25 at 15:00

Posted in .gov, Propaganda, PsyOPS

2018: Active Measures and Hybrid Warfare Possibilities

with 2 comments

With 2018 just hours away I thought I would add to the cacophony of posts on what you might see in the year to come, but in my case this is the black swan edition of NATSEC for the new year. There will be in my opinion no way that the Russian’s up the ante on active measures and hybrid warfare on the United States in the next year especially since there will be elections for Congress. Elections that will likely lessen Russia’s grip on the country if the Democrats can actually be a majority and control the possible investigations that are ongoing today.

Of course even if there weren’t an election coming the Russians and possibly others would still continue to stoke the active measure fires because it serves their ultimate purpose of making the US inert politically on the world stage. The whole point of these actions is to divide us and to lessen our ability to counter Russia in their global machinations. Overall, it is likely to be a wild ride next year and this primer may help you comprehend what might actually be happening.

Definitions

Active Measures Definition: (Russian: активные мероприятия) is a Soviet term for the actions of political warfare conducted by the Soviet and Russian security services (Cheka, OGPU, NKVD, KGB, FSB) to influence the course of world events, in addition to collecting intelligence and producing “politically correct” assessment of it.

Information Warfare Definition: Information warfare (IW) is a concept involving the battlespace use and management of information and communication technology in pursuit of a competitive advantage over an opponent.

Propaganda: Information, especially of a biased or misleading nature, used to promote or publicize a particular political cause or point of view.

Kompromat: kompromat. Literal meaning. compromising materials. In Russian politics, Kompromat, literally “compromising material”, is damaging information about a politician or other public figure used to create negative publicity, for blackmail, or for ensuring loyalty.

Hybrid Warfare Definition: Hybrid warfare is a military strategy that blends conventional warfare, irregular warfare and cyberwarfare. … There are a variety of terms used to refer to the hybrid war concept: hybrid war, hybrid warfare, hybrid threat, or hybrid adversary (as well as non-linear war, non-traditional war or special war).

The Players:

I want you all to consider that it will not only be Russia playing “Patriot Games” *wink wink* with us all in 2018, but also the other players who likely will be part of the larger picture here. Russia is a given, but as we have seen of late, the GOP seems to be playing much of the same cards that the Russians have against us in the last couple years. The GOP has taken their playbook and augmented it with Trump’s particular brand of crazy as well. Ultimately we have gone through the looking glass because the Russian’s active measures worked. We are now in a “post truth” and “alternative facts” universe which has caused many unable to parse out the reality of things to just either shut down or buy into their narratives whole hog.

  • Russia: will continue to attack reality and cause more fissures within our people and our government.
  • GOP: Will adapt the Russian and Trumpian playbook as well. They have done plenty of dirty tricks in the past, but now, they are armed with a tactical info nuke.
  • Third Parties: China, Iran, others, all will have their reasons to continue and extend the fissures and use them to their advantage.

There are many players who may want to get in on this game to serve their own purposes. Remember this as you try to sort all of it out as it happens.

Attacks

So I am going to throw out some scenarios or attack models here for you to consider. Some or all of these may happen in 2018. Maybe none will happen… Who am I trying to kid here! In any case, consider these as possible attacks and you may even see variations on these themes.

Sub Operations: HYBRID WAR

As we have seen a recent uptick in this activity already, and I am not sure of our SOSUS capabilities anymore, we have to consider that attacks may come from these little sub visits. Now, if you are up on your sub history, the Jimmy Carter (SSN-23) was one of the subs that tapped RU comms. As we have tapped post SORM traffic, the Russians are likely doing the same with the fiber that is on the bottom of the ocean as well. These kinds of listening operations are pretty standard, but consider now that the Russians have stepped this up might signal more possible scenarios. By shaping traffic, cutting traffic, or injecting things into it, the Russians could have quite the little advantage.

  • Subs intercepting (tapping) traffic
  • Subs ability to leave a dead mans switch or active kinetic measures to cut cable
  • Subs tapping allowing to add data to streams and or advance hacks

Hacks and Disinformation Operations: INFOWAR

The hack on the DNC servers was a pretty standard affair using phishing mails and then exploitation of the systems therein once they got a foothold. What data was exfiltrated though, and how it was parsed out and weaponized was the old new trick the US could not foresee evidently. The Russians have been carrying out this kind of warfare for years on Estonia and Ukraine as well as other countries that they feel the need to destabilize. We saw a fair amount of this in our election cycle in 2016 and you should expect more in 2018. In fact I would hazard to say that the operations are already in progress and data is being collected even as I type this.

  • Hacks on news systems
    • Insert fake stories to cause chaos and to delegitimize the org
    • Cause chaos and uncertainty (broadcast primarily but also news sites like CNN’s page)
  • Hacks on EAM systems (Emergency Action Message) There have been recent hacks on these systems by hackers but imagine a nation wide alert set by Russia?
    • Cause panic
    • Cause DoS on telco and other systems
    • Spur over action by government and populace
    • BGP re-routes
      • Ability to disrupt news
      • Ability to disrupt C&C
      • Ability to insert data into C&C
  • Leaks
    • More governmental leaks
    • Personal leaks (kompromat)
    • Leaks of doctored documents (Disinformation Operations)
  • Trolls armies
    • Twitter
    • Facebook
    • News sites
    • Comments sections
      • As we saw on the Net Neutrality comment site, these attacks can be leveraged against any public comment topic. So imagine it being used on the White House site (that is if the Trump admin hadn’t basically killed that function already)
    • Radio commenters
    • AM/SW radio broadcasts

HUMINT/Asset Recruitment

Ah yes, one of my favorite categories… As an old school guy who was around before the computer was so ubiquitous, this form of espionage was the thing. Of course the NSA had signals intel, radio, bugging, etc, but good old human assets can do quite a bit and should still be a thing. Today I would say that in tandem with the active measures attacks that we have seen and will see in 2018, you can count on more human assets being activated. These can be trolls that are real people who take on personae online as well as players within the system who have been recruited or turned.

  • Asset recruitment of GOP players
  • Asset recruitment of proxy group individuals
  • Kompromat use

Kinetic Attacks by Proxy Operations

Kinetic attacks are not as likely but given that things are getting out of hand, and may get even more out of control, I thought it prudent to add this. What I mean by kinetic attacks by proxies is simply that the actors could incite groups and individuals to violent action. We saw in 2017 the Nazi (alt-right) movement’s rise and in that, we saw violence perpetrated as well as at least one death by a Nazi running down a protester. This type of activity is standard operations really in the history of espionage and active measures both by Russia and by the US. If you doubt the US has done such things you should look up our interventions in South America in the past.

  • Insert proxy actors to actualize physical attacks
  • Use groups like KKK and others to initiate more kinetic actions like bombings and confrontations
    • Cause over reaction on populace part
    • Cause over reaction by local and federal governments
      • Over reactions like martial law or other types of crack downs
      • Likely to cause further surveillance tactics and programs

Digital Attacks That Lead To Kinetic Results

And the attack du jour of late, the cyber attacks that cause kinetic effects! Honestly there is no evidence of there being a possible wide scale attack being carried out successfully on the US grid, but, there is always a chance. Of course smaller scale attacks in regions could be possible and carried out to great effect. The effect I speak of would be to perhaps hinder voting, but more so to sow chaos and uncertainty in the population. If you strike the right balance, you could even tailor an attack to lead people to a certain political actor as they run a narrative that gives assurance of reciprocity etc.

I know, now it’s sounding all Manchurian Candidate huh? Well, look at Trump and what happened and then think about it again. He has been pretty much using the Russians playbook that he was given by Putin so it’s not so inconceivable.

  • Power: Power goes down
  • Water: Water stops flowing or becomes tainted
  • Telco: Cells go down
  • Media: No news in an emergency with any of the other situations people will freak
  • Internet Infrastructure (as mentioned above in attacks on cables) No communications, freaking populace

Well, those are some of the scenarios I can foresee. I am sure there will be plenty of others that I could not even imagine today. Suffice to say that we will be under attack again with more vigor specifically by the Russians and the GOP in hopes that they will keep their seats. All of us just need to strap in for the Krazy Ivan to come. Just remember to be judicious in your consuming of media and always think before you freak.

Happy New Year!

K.

 

Written by Krypt3ia

2017/12/29 at 22:19

Posted in .gov, 2018, Infowar

Blackberry Forward of Emails and Excuses for Firing the FBI Director

leave a comment »

Given the events yesterday I am feeling like unburdening a little bit on the subject of the emails being forwarded by Huma Abedeen to the laptop at home in the custody of Anthony (Carlos Danger) Weiner. One of the reasons for Comey’s firing ostensibly was about his mis-statements over the emails being sent to the Weiner laptop that he opened the can of worms on and helped lose the election for Hillary (not the only reason people!) as they say. The fact of the matter is now everyone is saying that Huma’s emails were auto backed up and that the term “sending” them is a misnomer in a way because the then director had said she was forwarding them for printing out by Anthony or her at home. Let me stop you all right there and say there is no difference. The intent of forwarding the emails or backing them up to an email address accessed by or directed to that personal laptop is the key here. Someone had to set that up right? It was something that did not evolve by itself and just came into being!

The issue here is the semantics of language and perhaps comprehension of how things work in the cyber. Comey made a mistake in wording but the basis of the argument stands. Why was she forwarding or backing up all data to that laptop or account outside of the government systems appropriate for this series of email? This is the question you all should be asking and once again it was against protocol and yes there were emails in there that later were deemed to contain classified information. This makes it an issue and it was something that needed to be looked at. Now, as to how it was announced, well that is a judgement call on the part of the director and perhaps a bad one. I honestly listened to his testimony and saw both sides of the issue as well and there was no good answer here.

Now though the director has been fired in a most unceremonious way and all of this smells bad with regard to the RussiaGate investigation and abuse of power. Let’s not allow Trump to skew this one thing amongst all the others into a reason for his firing a direct threat to his presidency. The real truth is that Huma was sending email to a non secure site/system and that was the crux of the issue. Director Comey’s description of this incident has little do to in my opinion with his summary dismissal of the director.

K.

Written by Krypt3ia

2017/05/10 at 13:05

Posted in .gov, FUCKERY

KONNI: Malware Campaign Inside Pyongyang

leave a comment »

So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.

  • The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
  • The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
  • One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
  • The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
  • The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
  • All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
  • HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
  • The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
  • MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file

Conclusions:

What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.

When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had  the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.

I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.

All of these questions beg another question….

Do we know for sure these were aimed at DPRK embassies/personnel?

Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.

Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?

Come on, you can tell uncle Krypt3ia!

SAMPLES:

Ask for them and we will work out a transfer method

LINKS:

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.htmlhttp://www.threatcrowd.org/domain.php?domain=phpschboy.prohosts.orghttp://www.threatcrowd.org/domain.php?domain=jams481.site.bzhttps://www.google.com/search?client=ubuntu&channel=fs&q=7640894b9a61e533646067bc542f04f2&ie=utf-8&oe=utf-8https://www.reverse.it/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1https://www.hybrid-analysis.com/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1&lang=idhttp://www.threatcrowd.org/domain.php?domain=dowhelsitjs.netau.nethttps://www.threatminer.org/sample.php?q=ed759d5a9edb3bba5f48f243df47be29e3fe8cd7https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdfhttp://www.threatcrowd.org/domain.php?domain=pactchfilepacks.net23.nethttps://www.hybrid-analysis.com/sample/94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5?environmentId=4&lang=zhhttps://www.hybrid-analysis.com/sample/69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0?environmentId=100https://malwr.com/analysis/NWJiY2EwOGE3MjUwNDg1ZjhlZmY0MjdlMzc2MDQzYzc/https://www.virustotal.com/en/url/4b273842b1731390c837c10d9b59e76eb974ac8eeff961c186c64ef3309430f0/analysis/1494269840/https://www.virustotal.com/en/domain/a.yesadsrv.com/information/http://www.threatcrowd.org/ip.php?ip=31.170.160.129

Written by Krypt3ia

2017/05/08 at 20:16

Posted in .gov, .mil, APT, DPRK, Malware, Phishing

Prosecuting The Russian Cyber War: Beyond The Hyperbole

leave a comment »

screenshot-from-2016-12-19-13-42-28

This weekend my father actually asked me what I thought Big O was gonna do to respond to the hacking of our elections. He continued in the same breath to ask if we were going to take out Russia’s grid or something like that. My first thought was to say “Noooo” and to then explain to him how that might go all kinetic real quick like on us if we did. My response to him yesterday will be the genesis of this blog post today for you all. Since everyone seems all hot and bothered as to how we will respond and not giving Big O the benefit of the doubt that he actually reads the PDB’s and thinks about them, I will boil it all down to what I would do against Russia and Pooty to thread the needle and not cause an escalation.

First:

I would undertake the review on what exactly happened with the IW/DISINFO/PSYOP/Hack that took place for the election. This is important to not only understand what happened, but to understand just how much damage was done and what actions it took to set that into motion. From this you can assess the response level you need and in this case it has been rather speculative as to what really went down. This I also really point at the whole argument that the election machines in key states may or may not have had some supply chain tampering going on. So far I personally have seen no evidence that there was enough of an investigation to rule this out.

Second:

I would look at the capabilities we have and the intelligence we have collected on Putin. Intel such as a good psych profile and anything on his wealth/business structure. With both of these I would seek to discern what would hurt him personally, not so much the country. I would also use the psych profile to determine in red teaming out what his responses would be to certain scenarios. In essence I would perform a game scenario simulation to get the best results for us and start to build a plan(s) on those.

Third:

I would, knowing that this attack was personal for Pooty, and given his nature (much like Trumps really) I would perform the following actions;

  1. Attack his finances. All of the dirty ones first.
  2. Attack him with whatever kompromat we have (CIA/NSA) in the same leaks style that we saw from the elections (See news today about Tillerson for a cue)
  3. IF we have the assets in place both digital and “other” I would work to counter ongoing efforts in Germany and France as well as other places where we know he wants to do the same thing politically

These are the things I would do in parallel to assessing the damage to our forward capacities regarding the ShadowBrokers recent tease. IF all of those exploits on there are real, then all of them have been compromised and burned. Any operations that may have used those tools are burned and any future use of them has been burned. It is my opinion that the new events with the ersatz “Boceefus” account is just Pooty and the GRU saying “Try anything and you will fail” but that is only one dimensional thinking frankly. It is time to go beyond bits and bytes and also use HUMINT.

Just this guys take…

K.

Written by Krypt3ia

2016/12/19 at 19:05