Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Infowar’ Category

OilRig Games: Dumping IOC’s, Tools, and Deets on Iran

leave a comment »

NARRATIVE:

On March 26th 2019 an account on Telegram named  لب دوخته گان (sealed lips) “Labdookhtegan1″ began dropping details on OilRig aka Muddywaters APT group on Twitter. The data that this account dropped consisted of names, details of the actors allegedly behind OilRig/APT34, and screen shots and details of compromised systems and tools being used by Iran. Since March the actors involved in dropping the dime have gone on to create two darknet sites as well as three accounts on Telegram where they dropped much of the same data. The Telegram and the successive Dookhtegan1 account(s) on Twitter also put out a video with their announcement. The video consists of clips of President Obama making a speech much like the kind of thing you see in movies threatening someone using sound bytes.

 

Analytics on Dookhtegan:

  • Dookhtegan لب دوخته گان “sealed lips” as an image and a maxim was the creation of Mehdy Kavousi, an Iranian immigrant in the Netherlands who is protesting immigrant deportations. The image is famous and literally shows Mehdy with lips sewn together in protest.
  • The original photo has been shopped by many including the actors here creating these accounts and dropping data
  • Dookhtegan is only one of many accounts
    • labdookhtegan
    • labdookhtegan1
    • Green_leaks
    • Green_Leakers
    • Bl4ck_B0x

  • The data drops all included Farsi commentary as well as English
  • The backstopping of the data is tied to actual compromised system addresses and files of malware
  • Interestingly, the translations of Farsi to English seem to imply that the writer is not a native speaker of Farsi

 

DATA DROPPED:

The data dropped by these guys is rather splashy. They have named names of at least six guys and two companies in Iran they claim are part of MOIS/IRGC actor group

  • Omid_Palvayeh
  • alireza_ebrahimi
  • mohamad masoomi
  • saeid shahrab
  • taha mahdi tavakoli
  • Noorsec —>Sec Company
  • Rahacrop –> Sec Company/School

All of the actors dossiers are included in my zipped drop below for you all to oggle. OSINT on these guys may come later but for now I am kinda meh, they are blown.

FILES DROPPED:

Labdookhtegan1 dropped many files as proofs of their work and outing of the IRGC. These included such things as passwords to compromised systems, tools they used, and other proofs to show IRGC activities on the following places of interest (see list pictured) The targets pretty much show activities in the middle east and areas that the IRGC would like to attack. Of course I am not seeing any US assets nor other areas, which, is rather interesting no? More on this in the context and timing section below….

I am currently looking at the technical tools and may have an update later on with tech details but for now, be happy with Uncle Krypt3ia’s gift of all the files and dox in one zip!

Tools, Techniques, and Assets

CONTEXT OF TIMING:

Right! So, the timing of these drops is rather convenient for the US huh? I mean, even as we speak Donny and his mustachioed pal Bolty are looking to maybe attack Iran for whatever reasons they have. The actors here try to make a case that perhaps they are in fact Turks, but I am kinda not buying that at all and the touches with “sealed lips” aka Mehdy Kavousi is also a nod toward some sympathy for Iranian immigrant feelings on deportation and feeling silenced. This too I am not buying, so once again that brings us back to the whole idea of “Cui Bono” and for me who really benefits here on so many levels would be America and the NSA perhaps or CyberCOMMAND?

So picture this… We decide to drop dox and TTP’s on Iran in the REGION as a means to blow IRGC out of the water and re-tool as we are ramping up for maybe some action in the region and we need, oh, let’s say, a receptive audience(s) in said region to help us were we to get kinetic with Iran. How’s that play for you all? It certainly plays for me. This is a stick that likely is dual edged and wins for us in my opinion. After all, the IRGC is in the regions playing their games as always, but the skinny recently is that IRGC messaged all their proxies and took them off the leash, and more to the point, in Iraq.

Think about that kids….

Say, didn’t we just pull out all our State folks from Iraq?

Why yes we did… Gee… WHO KNEW?!?!

Ponder that.

ASSESSMENT:

Overall these are interesting times and if you are in the game here and want to have all the fun bits, download the zip file with all the things. You’re welcome. I am glad to put it all in one place for you to have instead of playing games with all the companies out there trying to get you to buy their content while hiding the good shit behind a paywall. My assessment is this, that the players have been exposed, the companies they work for have been blown, and we all likely have much more to dig into now and coming soon. In fact a little birdie told me about a new dump this morning (yes it is in the zip file) so WHEEEEEEE!

Watch Iran and the region… I have a bad feeling.

K.

 

PS! I almost forgot.. I found some of the malware online in VT/Hybrid

https://app.any.run/tasks/a74d0d54-a996-4ae0-979f-675bbdd3bbad/

https://app.any.run/tasks/69ad1f9f-9dc4-475e-8762-b31283f314f1/

https://www.hybrid-analysis.com/sample/3c0c58d4b9eefea56e2f7be3f07cdb73e659b4db688bfbf9eacd96ba5ab2dfe5/5cdabffa028838cc0ea26b0a

Enjoy!

PPS! Almost forgot.. These cats even created a LinkedIN page for one of the burned!

Screenshot from 2019-05-09 10-29-37

*giggle*

Written by Krypt3ia

2019/05/16 at 14:03

Posted in APT, APT34, Infowar, Iran, OilRig

SOFWERX Presentation: Your Algorithms Won’t Save You: Why We Need More Sociology and Psychology in The Fight Against Online Disinformation & Propaganda

leave a comment »

Here is the deck from yesterday’s presentation at the SOFWERX Radial Speakers Series on Information Warfare:

 

Your Algorithms Won’t Save You

Video will be available from SOFWERX

 

Written by Krypt3ia

2018/12/05 at 12:56

USA Really: New IRA Troll Farm Site and Twitter Account

with 2 comments

So this morning I saw a tweet come across the feed by RVAWonk that was proclaiming that the IRA was back with a new site and the fuckery was pretty much just naked on their part. In the article she goes over the salient technical details of the site and the accounts. It also has another nice linked post that does a bit more in that area as well and I recommend you all read that too. However, I took a bit of a deeper dive looking at the site itself and it’s coding as well as did some Maltego mapping of it and the Twitter account. My overall take on all of that is pretty much “meh” … What really intrigues me and has been bothering me for some time now is that everyone is busy mapping all this shit but the fact of the matter is that mapping does not stop the cognitive dissonance that the Russians are playing on to win this game.

The Russians here are basically at a point where they aren’t even trying to hide the fact that the site is a Russian propaganda/disinformation effort and this is the important fact we all seem to be missing in this community. This shit works and even though most people do not have the technical abilities to look deeper into the code and the domains, it is pretty plain when you look at the site itself where they use Cyrillic and Russian in their image names and such that it is in fact a Russian operation.

We will all likely go down the rabbit hole on the how many followers they have on Twitter and who they follow. We will collate all the data and sift it and parse it all to put out reports on how they did this. My problem though is that we can investigate the shit out of this all we want but unless we come up with strategies to deny, degrade, or destroy the content, it will reach those tribalists out there who want it and the damage of 2016 will continue on unabated. What’s even more galling here is that the Russians have basically pulled a Babe Ruth by announcing this site and putting it out there so flagrantly with cyrillic in it and on domains owned by a russian domain hosting service. In reality they just gave us the bird and we are now going to just have to sit by and watch as they inflame the Trumpists to hopefully affect the mid terms with this crap.

 

Of course maybe Twitter will catch on here and swat this account offline? You hear me Jack? … *tap tap* this thing on?

 

Oh well, so there’s a new site and it seems they have also employed an SEO in there as well. The site has a lot of means to track posts, likes, geolocations etc as well. I have mirrored the whole site and am still poking through the code. The SEO is a new old site too with an anonymous domain resister back in April of this year that likely is also the Russian’s doing as well. I am sure many of the community will keep an eye on it as we go along so someone will eventually write about this as well with rapt verbiage not really doing anything about the problem as well.

 

So here’s my thing, we are all spending all this time nattering on about it but what can we do to stop such propaganda sites and Twitter accounts from spreading the mind virus? If we cannot stop them, how can we innoculate the general public from the effects of such mental plagues? These are the questions we should be asking and I just don’t hear it happening. I know that it is a rich and difficult problem dealing with the psyche and cognitive dissonance but we really need to lay off all the techno babble and focus on real solutions. Solutions that conern the human animal, not the technology kids. The Russians already know this and they are leveraging it. I mean, how much more blatant do they have to be? How about they just post billboards now in Cyrillic for Trump in all those Trump states?

Focus people.

K.

Written by Krypt3ia

2018/06/06 at 13:38

Industrial Society and Its Future (1995) & Our Socio-Technology Woes Today

with one comment

With Manhunt Unabomber on TV recently which I binged, I have been thinking about old Ted and his ideals behind the madness he was pushing. I would like to state up front that I do believe that Ted is clinically mentally ill and that manifested itself when he finally went into seclusion. What happened over the years that followed was an unbalanced reaction to ideas that have a core of truth though and many people actually see the same kernels of insight that I am going to talk about here. I have just finished re-reading the manifesto that he got the papers to publish under threat in 1995 and clipped some passages for you to see here without having to read the tome yourselves.

Where I want to direct this post though is about the problems we have today with technology that Ted seemed to foresee and also to extend a little further into the social issues that we have seen played out in our recent election cycle and the probable attacks on the one upcoming in 2018. Ted touched on some of the sociological and more human issues of technologies and systems in his manifesto but for the most part he was taking a very rigid stance that all technology is bad for human beings and the environment. He had some interesting ideas on sociology specifically on left wing and right wing personalities and ideals that, well, he get’s all wrong frankly, but I feel it is important to mention. Though he got it wrong and his opinions on motivations was, well, very 1950’s, you can see some of what he is talking about in what has been playing out with the alt-right movement.

Ted is misdiagnosing people’s motivations likely tinged with his own issues psychologically so his assessment is flawed. However, if you read above you can see something there if you align it to the alt-right today. They feel inferior in that they lack the power, or, lacked the power until Trump was put into power by their minority of thirty odd percent of the vote. Anyway, Ted goes on for a fair bit on this and I will not bore you with it as it is not overly germane to this post, but I thought you should at least get a glimpse here. Ted, you got leftists and right wing all wrong dude. Of course this was within the first pages of his manifesto and he really does not get to the technology part until section 114 or so where we want to be.

In 114 Ted starts to talk about “the system” which means all technologies to him I think, but if you look at it from the perspective of a political system as well, you can see something that maybe we all have felt. How many of you have thought about voting and come to the conclusion that your vote doesn’t count? I have, in fact in the last election I almost did not vote because I just felt that the system was rigged. In rigged I mean districts were gerrymandered, back door deals are all in play, and possibly even the election machines had been hacked because, as we all know in the security circle here, they are so weak in security mechanisms to be laughable to hack. In effect, these systems, both technological and rule based were inherently made untrustworthy by the system of politics. We have had our real autonomy and ability of action removed from us through the system and it’s rules …So why bother voting if it’s a foregone conclusion and there is no foreseeable change right?

Another area of thought that Ted writes about that seems to be a companion to the above section is once again your power is taken from you because the government or the system. In Ted’s mind it is the technology at the bottom of all this but here again he is making what I would consider more a political or societal argument. In that conservatives really want states rights over big government, I for one cannot extricate this paragraph from the notion today that the right wing would like to take away the power of the people locally as well as nation wide even with “small government” Honestly some of their thought processes are rife with cognitive dissonance but the goals seem to be “we are in control because we have the money and the power and you should just do what we say” Anyway, it is just another system and technology today only enhances the control as far as I can see. Of course we are also seeing that with things like Anonymous and the internet, the power can be interrupted with the application of the right technologies as well huh?

Here Ted is talking about the system taking over the individual to perpetuate the “system” and if you read this with an eye to today’s concerns over jobs and the rise of the Trumpists, you can see a parallel right? If the systems are now creating supply chains that are automated enough to not need human intervention for function, then we lose jobs right? Of course Trump really doesn’t cover this notion completely in favor of jingoism over borders and immigrants taking over our jobs but the real reality is that automation is doing this as well as tax games that move companies overseas. I sometimes wonder how the future will look if we do not educate our people better and these systems just function without the need for under educated workers, will we see more of this unrest that leads to another Trump?

 

If you have seen Manhunt Unabomber, then you will recognize the imagery that they used at the end concerning free will and systems of control. Ted takes it to the nth degree but the reality is that systems do control our actions but once again you have to accept that control and accede to it to be controlled. The very core of hackers and hacking is the notion that we can subvert the systems to make them do things they were not meant to do right? In the case of the stop light and the philosophical questions over being part of a system or controlled by one is very interesting. You all should ponder this as hackers and persons within a series of systems both technical and logical and consider your position here as well. I think we are at a cross roads here post 2016 and the use of technologies and systems of governance where one might feel like Ted a bit. What control do we really have when you could opt out of the system but the masses don’t? Look at what has happened when a small percentage of people in this country gamed the electoral system to elect Trump over the clear popular vote. The system has control over the lot of us and there isn’t very much we can do as we have seen if those in power, a small group, is in control of all our fates.

It makes one have thoughts about hacking systems… What does it mean? Can it be done? Should it?

In 130 and 147 here we have an important point from 1995 kids about the uses of technology as a form of control. Take that paragraph in and think about where we are today and what we have seen since 2001. We have fetishized technology in the name of freedom today. We have autonomous drones, cameras, NSA systems that monitor everything, and lest we forget our own abdication of our personal information and privacy for the new shiny phone or application. Collectively we have allowed our own security and privacy to be degraded for shiny things. What’s even more interesting is that those in the know, the one’s who have the capabilities to secure their private information may never really be able to completely do so because the systems are so prevalent that our data is out there anyway, just one breach away from being publicly available for sale on the darknet. I have often had thoughts about just backing away from the technology, but then my lizard brain just says “you can do this, you can secure your shit with crypto and all the things”

That’s delusional thinking.

Look at what played out in 2016 and then try to convince yourself that you can control the system enough to be immune.

Geez I am starting to sound like Neo.

Anyway, all of this manifesto reading has given me perspective on things in 2018. Ted had some ideas that are valid but he was unstable and decided to act on them to save humanity in the wrong way. Frankly he should have just lived in that cabin and kept to himself and paid no attention to the outside world. This is the crux of the problem though, could he? It seems like he lived on the fringes of society and he knew he could not go full mountain man and live off the land so he did what he did. Herein lies the problem though for us all. Unless you have the wherewithal to live fully off the land then you have to deal with technology and society right? So here we are, how many of you out there could just walk into the woods and live? I find it funny that a lot of our zombie shows pretty much deal with this issue and we are eating it up. Deep down we all know that if society broke down and technology stopped, we would have to fight for everything to survive. Many of us wouldn’t be able to handle it and there would be a lot of attrition.

As we move forward with AI and more technologies that are supposed to make our lives easier, we are also infantilizing ourselves, separating ourselves from communities, and giving away certain aspects of ourselves to the machine. So I can understand some of what Ted was saying …I am just not mentally unstable enough to want to live in a shack and make little packages of explosives. I do however have my moments when I as; “What are we doing here?” I have written posts on Stratfor about hybrid warfare counter programs and honestly between the pervasiveness of the technology and the cognitive dissonance of those who use it I can see no good options for countering it. Is the answer then to just leave Twitter and Facebook? Is the answer to just not surf the net and read a book from a library? Or do you double down and work the system like a hacker and try to get some sanity?

K.

Written by Krypt3ia

2018/01/31 at 14:12

2018: Active Measures and Hybrid Warfare Possibilities

with 2 comments

With 2018 just hours away I thought I would add to the cacophony of posts on what you might see in the year to come, but in my case this is the black swan edition of NATSEC for the new year. There will be in my opinion no way that the Russian’s up the ante on active measures and hybrid warfare on the United States in the next year especially since there will be elections for Congress. Elections that will likely lessen Russia’s grip on the country if the Democrats can actually be a majority and control the possible investigations that are ongoing today.

Of course even if there weren’t an election coming the Russians and possibly others would still continue to stoke the active measure fires because it serves their ultimate purpose of making the US inert politically on the world stage. The whole point of these actions is to divide us and to lessen our ability to counter Russia in their global machinations. Overall, it is likely to be a wild ride next year and this primer may help you comprehend what might actually be happening.

Definitions

Active Measures Definition: (Russian: активные мероприятия) is a Soviet term for the actions of political warfare conducted by the Soviet and Russian security services (Cheka, OGPU, NKVD, KGB, FSB) to influence the course of world events, in addition to collecting intelligence and producing “politically correct” assessment of it.

Information Warfare Definition: Information warfare (IW) is a concept involving the battlespace use and management of information and communication technology in pursuit of a competitive advantage over an opponent.

Propaganda: Information, especially of a biased or misleading nature, used to promote or publicize a particular political cause or point of view.

Kompromat: kompromat. Literal meaning. compromising materials. In Russian politics, Kompromat, literally “compromising material”, is damaging information about a politician or other public figure used to create negative publicity, for blackmail, or for ensuring loyalty.

Hybrid Warfare Definition: Hybrid warfare is a military strategy that blends conventional warfare, irregular warfare and cyberwarfare. … There are a variety of terms used to refer to the hybrid war concept: hybrid war, hybrid warfare, hybrid threat, or hybrid adversary (as well as non-linear war, non-traditional war or special war).

The Players:

I want you all to consider that it will not only be Russia playing “Patriot Games” *wink wink* with us all in 2018, but also the other players who likely will be part of the larger picture here. Russia is a given, but as we have seen of late, the GOP seems to be playing much of the same cards that the Russians have against us in the last couple years. The GOP has taken their playbook and augmented it with Trump’s particular brand of crazy as well. Ultimately we have gone through the looking glass because the Russian’s active measures worked. We are now in a “post truth” and “alternative facts” universe which has caused many unable to parse out the reality of things to just either shut down or buy into their narratives whole hog.

  • Russia: will continue to attack reality and cause more fissures within our people and our government.
  • GOP: Will adapt the Russian and Trumpian playbook as well. They have done plenty of dirty tricks in the past, but now, they are armed with a tactical info nuke.
  • Third Parties: China, Iran, others, all will have their reasons to continue and extend the fissures and use them to their advantage.

There are many players who may want to get in on this game to serve their own purposes. Remember this as you try to sort all of it out as it happens.

Attacks

So I am going to throw out some scenarios or attack models here for you to consider. Some or all of these may happen in 2018. Maybe none will happen… Who am I trying to kid here! In any case, consider these as possible attacks and you may even see variations on these themes.

Sub Operations: HYBRID WAR

As we have seen a recent uptick in this activity already, and I am not sure of our SOSUS capabilities anymore, we have to consider that attacks may come from these little sub visits. Now, if you are up on your sub history, the Jimmy Carter (SSN-23) was one of the subs that tapped RU comms. As we have tapped post SORM traffic, the Russians are likely doing the same with the fiber that is on the bottom of the ocean as well. These kinds of listening operations are pretty standard, but consider now that the Russians have stepped this up might signal more possible scenarios. By shaping traffic, cutting traffic, or injecting things into it, the Russians could have quite the little advantage.

  • Subs intercepting (tapping) traffic
  • Subs ability to leave a dead mans switch or active kinetic measures to cut cable
  • Subs tapping allowing to add data to streams and or advance hacks

Hacks and Disinformation Operations: INFOWAR

The hack on the DNC servers was a pretty standard affair using phishing mails and then exploitation of the systems therein once they got a foothold. What data was exfiltrated though, and how it was parsed out and weaponized was the old new trick the US could not foresee evidently. The Russians have been carrying out this kind of warfare for years on Estonia and Ukraine as well as other countries that they feel the need to destabilize. We saw a fair amount of this in our election cycle in 2016 and you should expect more in 2018. In fact I would hazard to say that the operations are already in progress and data is being collected even as I type this.

  • Hacks on news systems
    • Insert fake stories to cause chaos and to delegitimize the org
    • Cause chaos and uncertainty (broadcast primarily but also news sites like CNN’s page)
  • Hacks on EAM systems (Emergency Action Message) There have been recent hacks on these systems by hackers but imagine a nation wide alert set by Russia?
    • Cause panic
    • Cause DoS on telco and other systems
    • Spur over action by government and populace
    • BGP re-routes
      • Ability to disrupt news
      • Ability to disrupt C&C
      • Ability to insert data into C&C
  • Leaks
    • More governmental leaks
    • Personal leaks (kompromat)
    • Leaks of doctored documents (Disinformation Operations)
  • Trolls armies
    • Twitter
    • Facebook
    • News sites
    • Comments sections
      • As we saw on the Net Neutrality comment site, these attacks can be leveraged against any public comment topic. So imagine it being used on the White House site (that is if the Trump admin hadn’t basically killed that function already)
    • Radio commenters
    • AM/SW radio broadcasts

HUMINT/Asset Recruitment

Ah yes, one of my favorite categories… As an old school guy who was around before the computer was so ubiquitous, this form of espionage was the thing. Of course the NSA had signals intel, radio, bugging, etc, but good old human assets can do quite a bit and should still be a thing. Today I would say that in tandem with the active measures attacks that we have seen and will see in 2018, you can count on more human assets being activated. These can be trolls that are real people who take on personae online as well as players within the system who have been recruited or turned.

  • Asset recruitment of GOP players
  • Asset recruitment of proxy group individuals
  • Kompromat use

Kinetic Attacks by Proxy Operations

Kinetic attacks are not as likely but given that things are getting out of hand, and may get even more out of control, I thought it prudent to add this. What I mean by kinetic attacks by proxies is simply that the actors could incite groups and individuals to violent action. We saw in 2017 the Nazi (alt-right) movement’s rise and in that, we saw violence perpetrated as well as at least one death by a Nazi running down a protester. This type of activity is standard operations really in the history of espionage and active measures both by Russia and by the US. If you doubt the US has done such things you should look up our interventions in South America in the past.

  • Insert proxy actors to actualize physical attacks
  • Use groups like KKK and others to initiate more kinetic actions like bombings and confrontations
    • Cause over reaction on populace part
    • Cause over reaction by local and federal governments
      • Over reactions like martial law or other types of crack downs
      • Likely to cause further surveillance tactics and programs

Digital Attacks That Lead To Kinetic Results

And the attack du jour of late, the cyber attacks that cause kinetic effects! Honestly there is no evidence of there being a possible wide scale attack being carried out successfully on the US grid, but, there is always a chance. Of course smaller scale attacks in regions could be possible and carried out to great effect. The effect I speak of would be to perhaps hinder voting, but more so to sow chaos and uncertainty in the population. If you strike the right balance, you could even tailor an attack to lead people to a certain political actor as they run a narrative that gives assurance of reciprocity etc.

I know, now it’s sounding all Manchurian Candidate huh? Well, look at Trump and what happened and then think about it again. He has been pretty much using the Russians playbook that he was given by Putin so it’s not so inconceivable.

  • Power: Power goes down
  • Water: Water stops flowing or becomes tainted
  • Telco: Cells go down
  • Media: No news in an emergency with any of the other situations people will freak
  • Internet Infrastructure (as mentioned above in attacks on cables) No communications, freaking populace

Well, those are some of the scenarios I can foresee. I am sure there will be plenty of others that I could not even imagine today. Suffice to say that we will be under attack again with more vigor specifically by the Russians and the GOP in hopes that they will keep their seats. All of us just need to strap in for the Krazy Ivan to come. Just remember to be judicious in your consuming of media and always think before you freak.

Happy New Year!

K.

 

Written by Krypt3ia

2017/12/29 at 22:19

Posted in .gov, 2018, Infowar

DNC Hack: The Flying Fickle Finger of Fate and Intelligence Analysis

leave a comment »

ikQnbyk

 

I had some Tweet conversations this morning that led me to a need to make yet another post on the DNC hack debacle. @Viss and @mr0x20wednesday both struck up a conversation after I posted a link to the NYT article on the consensus that is growing within the government that Russia carried out the hack. The consensus building is coming from assessment by the CIA while the FBI has initiated an investigation into the hack and the subsequent dump of data to Wikileaks and to the web via the wordpress account for Guccifer2.0. It is important to take note of the previous statement I make here about who is “assessing” and who is “investigating” and that is something people in the general population do not quite grok much of the time. The FBI attempts to prove things in court and the CIA generates analysis and assessment to help leaders make decisions. These are two different things and I want you all in INFOSEC to understand this when you start to have conversations about spooky things like the hack on the DNC and the subsequent possible propaganda, psyops, and disinformation campaigns that may ensue.

I recently wrote a more irreverent post while I was in a more Hunter S. Thompson state of mind concerning American politiks and the mess we are in, but the core idea that Russia carried off this hack and the actions after it still hold true for me. Many of you out there are reacting more like how I reacted when the Sony attack happened and once again I also find myself asking the same questions and having the same concerns over attribution versus solid evidence. There are many issues at play here though that you have to take into account when dealing with an action like the Sony or DNC hacks where information warfare or “cyber war” are concerned. Most of the considerations you have to make surround the classification of much of what you might get in the way of evidence to start with never mind about the circumspect nature of attribution that is being released to the media. At the end of the day my question to the FBI was “Show me proof” which is their job right? FBI is part of the DOJ and should be leading to charges right? Well, none were proffered by the Obama administration, some sanctions were laid on DPRK but no charges, unlike the wanted posters for the Chinese agents that the FBI laid out for hacks and thefts of data. There is a distinct difference here and that is evidence that can be presented in a court versus attribution and analysis by companies like FireEye and Crowdstrike. True, both those firms can prove certain things but primarily, as you all know out there, attribution is hard to prove so it really stops at analysis, more like the intelligence agencies content and mission.

So where does that leave us with regard to the DNC hack? Well, the attribution data presented first off may only be a portion of what Crowdstrike may have. Other portions may in fact have been classified or asked to be held back by the government (I’d say pretty likely here) and may some day be revealed. If the Sony hack is any indication though of this process, not so much. I am still unaware of any real conclusive evidence of Sony’s hack being DPRK but like I said, the US government sanctioned DPRK over it. It is not likely the government and the president would do so without some more solid evidence but one must consider “sources and methods” when dealing with international intrigue like this right? Don’t like that? Well, get used to it because you are going to see more and more of this as we move into the golden age of nation state hacking and covert action. There will be things you John Q. Public, will never know and will be classified for a good long time. Just take a stroll through the Spy Museum in the cyber war section and look at some of those code names. I bet you haven’t heard of some of them and at least one of them, some of us, were VERY surprised to see on that wall already.

But I digress…

At the end of the day though I have to go with previous experience, Occams Razor, and a sense of Cui Bono concerning the DNC hack/dump/manipulation. Some may argue that the GRU and KGB (yes, once again old agencies don’t die, they just change names 😉 ) would not be as sloppy as to leave the breadcrumbs that are being found by Crowdstrike and others. I would remind you to look at at the last big operation that we busted in the US by the KGB as well as the recent posting of selfies by a KGB graduating class as examples of “everyone fucks up” For that matter, shall we mention our own CIA’s debacle with the Pizza Hut? Every agency screws up and every hacker does too. Humans and human nature insure that things will get messed up, there are no perfect operations. In this case the assets involved likely had access to the DNC as well as the RNC but decided to use this data to influence the elections in a manner that they could get away with it easily. This is the nature of spying, politics, and geopolitics, take a look at the history of the CIA and dirty tricks in the politics of South America and then picture it if they were doing the same (hint, they are) today in the cyber age.

That’s right kids, there have been other dumps and hacks. Perhaps some of those too were the US? Think about it.

Russia and Putin have been gerrymandering elsewhere, money and influence operations have always been around. Now consider yourself to be Putin and you have an operation that gave you easily funnelled information to the likes of Julian Assange and Wikileaks! Even more enticing, the fact that you all know that attribution is hard to prove in hacking! What do you have to lose if you are Putin or anyone else? So, if you look at how this plays out, and what more may play out come October, who, what nation, would have the most to benefit if we actually had trump in office?

Think… The answer is ANYONE who would like to take America down a peg and have more possible influence on world politics.

If you look though at the rhetoric by Trump you can in fact see that the big dog in the room would be Putin though. Just think about it! How much more power and sway would Putin have if Trump were in office and dismembers NATO? Come on now kids, think about it. Ask yourselves “Cui Bono?” here. So stop the quibbling about the attribution and the finger pointing. Take the analysis by the CIA and others as well as the eventual data the FBI comes up with and start looking to how can we fix the problems here? There are so many problems though that I too get disheartened. The political system is broken, the information systems are not properly protected, and we run headlong into creating more weaponized code? It is enough to make a man drink.

Ooh good idea…

Dr. K.

The DNC Hack: SVR? KGB? GRU? Lone Hacker?

with 2 comments

191

Attribution Games:

I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!

“I summon the Russian GRU!”

“I summon the LONE ACTOR!”

“I summon the KGB!”

*slaps down cards on table* TAKE THAT!

The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!

“Whoa”

So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.

So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”

Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?

Metadata and Cyrillic:

Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович)  Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!

Dr._Strangelove

NAILED IT!

You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…

  • Much of the data was stamped out in saving from format to format
  • Emails of users though were still embedded in the excel files
  • The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
  • The image files have no metadata.. none.. niente clean.
  • Grizzli777 is just someone who pirates

Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.

*squint.. takes drag of cigarette*

So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!

All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!

YAAAAY!

Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!

It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?

DATA:

Screenshot from 2016-06-17 13:35:04

Screenshot from 2016-06-17 13:33:43

Screenshot from 2016-06-17 13:31:49

Screenshot from 2016-06-17 12:51:57

Screenshot from 2016-06-17 12:46:55

Screenshot from 2016-06-17 12:46:44

Screenshot from 2016-06-17 12:46:33

Screenshot from 2016-06-17 12:46:14

Screenshot from 2016-06-17 12:46:03

Screenshot from 2016-06-17 12:45:43

Screenshot from 2016-06-17 12:44:48

Screenshot from 2016-06-17 09:51:34

Motivation Analysis and Hypothesis

RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…

Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…

  • Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
  • Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
    • If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
  • Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
  • Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!

So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????

Why Pooty of course!

Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin?  *sorry had to use that one*  Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.

That’s my theory and I am sticking with it… For all the fucks that it is worth.

I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.

See you all in INFOSEC attribution Hell.

K.

 

Written by Krypt3ia

2016/06/17 at 18:34