Archive for the ‘INTEL’ Category
Supply Chain Attacks and Nation State Pwnage: A Primer
Last Sunday night, while I was lounging on the couch watching some British Bake Off, I got word of the Solar Winds supply chain hack. After kicking back the last of my whiskey, I immediately got on the phone to start IR at work, cuz, yep, we have Solar Winds too.
Who’da thunk it?
Anyway, three days of IR stuff later, I am here to blog on the meanings for the muggles out there after having a conversation with a reporter on what it all meant. The reporter asked me about a tweet that was put out by Richard Blumenthal about needing to know more about this evolving hack and fallout thereof.
While I think that Dick is being a bit hyperbolic here, I also can tell you, gentle reader, that there is a lot to in fact be worried about regarding this instance of adversarial activity (most likely Russia’s APT29 Sluzhba vneshney razvedki Rossiyskoy /SVR group) which managed to break into a system application that many in the government, military, and corporations still run to manage their network.
This system is so prevalent in the space, that even in my environment, we still had it running and man, I thought we had made it go away long ago. So, you might be wondering what does Solar Winds really do? Well, glad you asked, it is a series of applications that help you maintain your large networks.
As you can see from the graphic from their site, the companies software performs a lot of management and monitoring capabilities within a network of individual systems. Servers, routers, databases, service desk applications, resource monitoring, network configuration, and security management. Now, you might be saying; “Ok, well, those are a lot of things that this stuff does, but, what does that mean security wise if the application (Orion) is compromised?” and that is a good question, the primary one I want you to comprehend if you are not in tech or security of the tech. What this means, is that this program suite by SolarWinds, is the ‘skeleton key’ now to a host of around 33k companies/networks that downloaded the tampered with update. This could affect around 300k clients in all, should there be more tampering or vulnerabilities exploited by the adversary now that they have the code base (assuming here) after they spent all that time inside SolarWinds systems.
So, we have a rather prevalent application suite that usually functions on a level of administrative access to do the very things it is bought to do. This means, that the Orion system contains ALL of your admin passwords up to and including domain administrator and enterprise administrator. What does this mean? It means that once the adversary had control over the Orion system, they had control over EVERYTHING that that system touched as well as now, if it did not have direct control, the passwords that would allow access within a network running this compromised system, are in the hands of the enemy.
Put simply, the adversary, has control over pretty much everything you own. They can log in, take data, manipulate data, and in the most extreme, burn your network down using other malware like a wiper or ransomware to do it. All of this, while you may not see the activity because everything is using credentials that are admin level and authenticated on your network. This is why it was so hard to detect this attack and to stop it and why they were inside the systems for so long.
Ok, so, what does that mean from the perspective of damage and about what groups the adversary hit? Well, so far, we know that the following entities were hit in this supply chain attack(s)
- Department of Homeland Security
- FireEye
- Treasury
- Commerce
- The National Security Council
These are all either government agencies or companies that handle a lot of government contracts, so you can kind of get a sense of what it means. However, let me expand on this, DHS and the NSC alone is a treasure trove for the Russians to gather all kinds of unclassified/classified data that they would want. Not only that, but, if you own the Orion systems in places like that, and that systems is in fact running in the CLASSIFIED space, then you have broached into the CLASSIFIED networks of things like NIPRNET and SIPRNET as well probably JWICS.
What does this mean? Lemme put it into internet vernacular for you;
This could be spectacularly bad. This is why so many are freaked out about this supply chain attack and the incident responses are all going on 24×7 now. It has yet to really be determined (at least publicly) how long the adversaries were inside these networks, but, I am going to assume that it was a long time, and a lot of damage has been done. Now all these places have to clean up the mess, re-set their networks and rebuild so that this cannot happen again. Then they have to assess the real damage to our security and perhaps someday give testimony in congress about it.
Now, about the other entities, these are the reasons that this hack is bad;
- FireEye: They do all the pentesting and security work for many of the same orgs as well as incident response. If they were owned as hard as we think, well, there is a lot of data that the adversaries could use on top of using all the tools they stole from them.
- Treasury, well, money right? Plans? Routes? All things monetary that the adversaries could use to mess with the united states up to and including theft of large sums of money potentially.
- Commerce as well, plans and other details that they could use against the US financially internally as well as globally.
Time will tell just how many other orgs got hit and may in fact have had data lost to the attackers. Also, do not forget the potential for further logic bombs out there that might be placed by the actor as well for future fun. Of course I have been hearing stories about power and water companies and systems being affected by this as well. All in all, it could be very bad for us all, and places us in our back foot most solidly globally.
One other aspect here, and this is highly speculative, but, what other secret orgs had connections to others with Orion? What orgs themselves in the secret spaces like FireEye, had the same software as well? What classified intelligence has been lost here?
Let that sink in…
Also, on the critical infrastructure end, I am not worried that the power will go off nationally, but, the Russians could mount more, and working attacks against regions with the right kind of access vis a vis this kind of hack.
Think about that too.
Gotta hand it to the Russians man, they play a good long game. Expect to be hearing about fallout on this for quite a long time. If you want to kind of get a sense of the scope of this, I would recommend watching “Sneakers” the whole McGuffin of the movie is the little black box that the mathematician created that decrypts all the things. This hack is kinda like that. With one box, the Russians decrypted EVERYTHING and then, like the Grinch, took it all up the chimney.
K.
Here’s a reading list too for you all to follow along with:
https://triblive.com/news/world/cyberattack-may-have-exposed-deep-u-s-secrets-damage-yet-unknown/
https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
https://us-cert.cisa.gov/ncas/current-activity/2020/12/08/theft-fireeye-red-team-tools
https://www.solarwinds.com/securityadvisory/faq
https://www.solarwinds.com/securityadvisory
Post Script:
Someone put out a tweet earlier that is very prescient;
This is an important context to have. Russia has used Ukraine as their down range test bed. If you remember back to NotPetya, you can see this exact supply chain attack cycle being leveraged there first, and tested. The Russians are old hands at this now.
A Real Cardinal of the Kremlin: An Asset In The Kremlin Exfiltrated and Blown By Russia and MSNBC
Breathlessly and with great hyperbole the MSNBC report came across my iPad as I sipped my morning coffee. The reporter eagerly reporting on their “scoop” of locating, potentially, the Russian source inside the Kremlin’s whereabouts in Washington DC. As I sat agog at their reporting, a mix of “OMG OMG OMG LOOK AT US!” and “Sorry, I can’t report the details because two guys in an SUV came at us after we rang a doorbell!” as the bile rose inside of me. I then took to Twitter and began to get information that surprised me and made it all the worse. It turns out that MSNBC buried the real lede in their reporting. It seems their “tip” on the possible asset that was exfiltrated in 2017 was in fact from the Russian government by proxy of a news site called Kommersant.ru.
The Kommersant article, posted yesterday before MSNBC made their rush to the address of the alleged Russian asset in DC, gives the name plainly, which I will not do here, and links to earlier stories of the missing official who went on vacation in 2017 and “disappeared without a trace”… Of course the Russians would have readily known who the asset was after the EXFIL, but, to post it online was an interesting move. Originally “The Storm”, another Russian news outlet posted in October 2017 of the missing Russian official but no one in the media took note it seems. The updated story in Kommersant though was prompted by the stories in the media about how Trump could not be trusted with intel much like (think Lavrov and Kislyak in the Oval) where Trump released code word intel to them and blew an Israeli operation. As the stories swirled from CNN quoting that the exfil had happened because Trump, the Russians I am sure began to ponder how they could stick a finger in the eye of the US and the CIA.
What they did was just remind everyone that the name of the asset in their opinion was <REDACTED> and that his new address was <REDACTED> in Virginia USA. They actually gave the address in the article. MSNBC got the tip somehow (likely monitoring sites like Kommersant) and immediately dispatched a crew to go to the address and knock on the door Geraldo style and get the scoopy scoop and win the news day! Pay no mind to the potential intelligence disaster it may cause to someone who did a great service to this country.
…But hey HEADLINES! CLICKS! ADS! BYLINES!
Anyway, the asset has been moved I am sure but a lot still needs to be discussed here about this whole thing. I mean, why would they re-settle this guy and his family under his own name? Why would they allow them to purchase a rather large house under their names? I mean, once upon a time when you were exfiltrated from Russia (SOV Bloc) you got a new name and you got some money and lived quietly as you are consistently debriefed. Has the CIA lost it’s collective mind? Is this even the guy? What the hell is going on here? With that question upon my mind I will give this a bit of thought.
Is this the asset in question? … Given the details of their disappearance in 2017, and his role in the Kremlin, I am going to lean toward yes.
Why was this guy allowed to buy property and live in the open under his real name? … I honestly have a few theories:
- The CIA wanted the Kremlin to know as a poke in the eye and a challenge. If this guy gets a polonium enema in the US, shit is gonna go plaid.
- Also, the assets new life in a free country with considerable assets would perhaps entice others.
- His EXFIL was pretty out in the open once he went RED RABBIT, so, perhaps there just was no need for an elaborate re-settlement and name change.
- Lastly, perhaps there is some incompetence going on? Who knows, maybe the asset demanded they live free and under their own name?
What is going to happen now? … Well, if this asset has been moved as I suspect, then they likely will get that name change because they are spectacularly blown because of Kommersant and now MSNBC and all the other services. I mean, I did not name the guy here but Kommersant did and with just the name I tracked them down to the house through sales records online!
Jeez!
All in all, this whole affair just makes me scratch my head. I mean, we are really through the looking glass in 2019 with everything that has been going on since 2016 but wow. This whole thing at least moved me to post, something I have been uninterested in doing for a long while now, so there is that. I will watch the game unfold and see what plays out. I gotta say though, recent events regarding losses for the CIA in China and Iran have me worried that we have lost some of our skill sets in HUMINT. I would love to find out that this whole debacle was really a play at something larger by the CIA, but, I fear it wasn’t.
Interesting times…
K.
shaqgegpbanuq24g.onion: Alleged Iranian Espionage Sale Site
Tooling along the darknet last week I came across this little beauty and decided to play along. I collected the site first and took a look at the Persian text as well as tested the sites security with OnionScan. Here is what I found.
Original post from a pastebin on the darknet…
The Persian seems to have the right syntax for part of it but my Farsi is meh so if anyone wants to correct me there go right ahead.
ن از کارمندان سابق وزارت اطلاعات بودم و میخوام بگم که اگه کسی به اطلاعات دقیق نیاز داره یا خریدار اطلاعات است میتونه با من در تماس باشه از اونجایی که من خودم تو اون مملکت نیستم خیالم راحته و میخوام هرچی اطلاعات راجب کاراشون و افراد مخفی اون ها دارم رو در اختیار یک خریدار خوب قرار بدهم
Translation online:
I was a former employee of the Ministry of Intelligence, and I want to say that if someone needs accurate information or information purchaser can contact me, since I’m not in that country, I’m comfortable and I want all the information you need about them and their secret people. Give me a good buyer
Now all this tied to the imagery of Wikileaks and Anonymous kinda made me giggle but, it could still be legit (though not likely) so I decided to email the guy and see what I could get from him or them. The email address louferna@secmail.pro made me wonder if that was a name, I mean, Lou Ferna? Hmmm… A google of the name “Lou Ferna” got some hits but nothing that means anything really. The same goes for louferna straight up. I did go down the anagram rabbit hole for a bit but stopped myself before I started making murder maps with yarn in the office.
Anyway, in pondering the offering I had to wonder at the high bitcoin rate there. Seven bitcoins currently is worth about fifty four thousand dollars, which, I mean you gotta be a real player to pay this right? This kinda passed the smell test on this kind of data’s worth to the right people. Then there is the bit about giving proofs, which we shall cover further down in the post. I decided that this was worth playing with and used a cutout account to email the seller. Here is the results…
I emailed asking for proofs 
They responded first by saying they were working with someone else and brushed me off. I found that to be odd, so I pushed and emailed back saying that, that deal could fall through and what harm would there be if you gave me proofs? I mean, I could up the bitcoin amount if it was good stuff! They responded back with the text below….
With this email they had attached an image file. I checked that it wasn’t some malware etc and then opened it locally to inspect it. Once I took a look I emailed back to say that I would backstop what they had sent me and respond back confirming an offer. Of course I did not respond back but instead tried to do the backstopping as I had said I would.
The information that they sent is rather complete but useless in my opinion. I will admit that I did not spend a lot of cycles on the OSINT here (enough to translate names into Persian and then search) but I tried with all the ancillary data. So far, I was able to locate only one of these people and even that one had their name misspelled. Image searches for these guys proved fruitless as well because the engines kinda suck at this kind of thing. What became obvious to me is that this is all trying to play off of the leaks by the actors dropping APT34 data on the darknet as well as telegram, which I believe dropped even more tools etc this week if I remember correctly.
Anyway, if any of you come up with more solid data on these cats lemme know. I am not spending any more cycles on it really. Add to this the fact the the site is down now and was as of Monday when I checked again, so pretty much after I emailed them they went poof. I got no wallet to send money to etc. For all I know the other “client” paid up if there really ever was one. For myself, I am leaning on this being a fraud, an interesting one at that, but a fraud. The only other thing I can possibly think is that maybe I am just not seeing the right picture here and they did sell it and rolled up the carpet.
*shrug*
Some things to take from this though…
- The site was clean, no security leaks at all. If you are gonna have a presence in the darknet it is really best to use the KISS method. These guys just used a simple HTML static page. Simple yet effective in keeping the security of where the site sat and not leaving a trace online to track back with. The only thing I could say is that the email address could be an Achilles heal because it is hosted by a company rather than their own hosting service.
- The story had enough to keep one interested and to possibly think it is legit. It was a step above offering at the start to give proofs.
- The brush off, if it was a ploy, was superb SE and they were playing the long game with that.
- The 54K price tag also played into the thing being legit enough to at least talk to them.
- The story that they used to be Iranian spooks and that they lived outside of Iran now played too, it also made for possible stale data in the offering, note they talked about Khomeini and agencies from the past.
Nothing ventured nothing gained huh? I of course reported the site to the right people in low places and forwarded a copy of the site in case it went poof (which it did) so they have it all.
An amusing story for you all.
Feel free to play the home game on those guys in the pics and lemme know what you find.
K.
Maria Butina: The Knockoff Anna Chapman
AGENT OF INFLUENCE:
The arrest of Maria Butina, the poor man’s Anna Chapman has opened a whole new avenue of investigation by the amateur spy hunters as well as the professionals this week. As it turns out, Maria had been under surveillance for a while and a known quantity to the FBI/DOJ as well for some time. Butina was even in the news cycles back in 2016 attached in stories to Alexander Torshin, a Russian Oligarch cum Bratva/Mobster with ties to the FSB and to Putin. This however did not make her a household name and in effect many people in the media were caught off guard I think when the feds arrested her and presented the affidavit in court on her FARA violations and flight risk potential.
Butina had been a fixture in 2015-2016 with the NRA circles and in fact it seems that she and Torshin had been a part of a plot to funnel money to the NRA as well as attempt to garner access to the Trump campaign/admin as well as others in the Republican party vis a vis entree from the NRA itself and a certain person 1, in the affidavit. Person one turns out to be Paul Erickson, an alleged master of the political universe in his own mind. He and Butina had been living together and it has become clear that it was a task that Butina felt she had to carry out to complete her mission per conversations the feds have picked up during their surveillance of her.
It seems that Butina, and Torshin with the help of Erickson and one other person yet unnamed, were able to potentially funnel money through the NRA to the Trump campaign and to the tune of 30 million dollars. With this access and her machinations to meet and greet as many players as possible (a list was provided by Erickson it seems to hit up with his direction) they would also have access and influence over CPAC, the conservative political action group as well. With this kind of access it seems that perhaps, with more information to come to confirm this, Russia had an access and influence campaign that changed the Republican platforms stance on Russia to be more along the lines of what Trump is evincing today.
Poor Man’s Anna Chapman:
After all the information started coming out post the affidavit’s publication online it then became an interesting rabbit hole to go down and see just how this operation was carried out and with what skill. After looking at things myself I am going to say here that I do not believe this was a well thought out operation that was being run by the likes of the SVR nor the FSB. I think that this was a condoned and “let’s see what happens” kind of operation that was a sideshow to the main events of the influence operations by the GRU and SVR that we are all dealing with today. I say this for a few reasons;
1) Torshin is connected to the FSB but he is not FSB: He in fact likely is an asset of the FSB much like some mobsters have been to the CIA in the past.
2) Torshin and Butina’s utter lack of OPSEC leaves me to believe that this was not a managed operation by the FSB/SVR/GRU because plainly it was so inept
3) Butina seems to be a clean skin (i.e. no history as an operative) but does have a backstop story of being a Russian business owner. She isn’t really a classic kind of “illegal” because she did not have a cover identity and paperwork like the illegals busted back in 2010 who were actually trained in tradecraft and sent here undercover.
In fact the absolutely poor OPSEC with which these two carried out communications online and off is a sign to me that there were no official handlers to the operation. If there were then they were negligent to the point of idiocy. There is even an amusing exchange between Butina and Torshin about being on a phone call and it being insecure where Butina recommends using WhatsApp but it is not clear if Torshin could handle using it and that they went silent so to speak. It seems overall that they did not and the feds have quite a bit of material on them both.
Add to this the fact that they carried a lot of these conversations in email and on facebook and Twitter and you can see a clear pattern of lack of tradecraft as opposed to what we have all seen come out of the indictments recently of the GRU operation against the DCCC and DNC as well as the disinformation operations. So once again I am gonna call it as amateur hour with a side of Anna Chapman Sparrow wannabe syndrome. This can also be reinforced with Torshin’s comments on how Butina is like and or had surpassed Anna in her operations.
A Noisy Operation:
What Maria Butina lacked in tradecraft, she easily made up for in ability to entice 54 year olds like Erickson with sex and access though. It seems that she played on this quite a bit and thought of herself as the next Anna super spy given all these photos she had taken by Oleg Volk, a photographer with a gun fetish in Tennessee. Her portfolio there is all guns all the time and since she was playing the part of a Russian NRA right to bear arms supporter it all fit the greater theme. However, even with her sex appeal and her playfulness, she managed to not be overly subtle either and her connections to Torshin were pretty clear. The media and certain people in the government noticed and asked for her to be investigated as well as her connections to the NRA.
As you can see from the text here she was a known quantity but all of these people around her did nothing to report her. They all just went along with the money and the possible access to her and Russia via Torshin. It really amazes me how people can just eschew all ethics and morals when large sums of money are being handed to them in order to further their own cause. As for the Republicans and the access there, like I said above I believe there is much more yet to come on her connections to individuals and the movements of money from them to NRA to Trump. I look forward to more of this coming out and in fact a little teaser yesterday was that a new player showed up at court for Butina’s hearing on being a flight risk.
That new player is a prosecutor who’s specialty is with trials concerning espionage. It turns out that though she has been arrested on FARA issues, she may in fact be later charged with espionage given that this prosecutor has shown up. It is also interesting that during the hearing there were two guys from the Russian consulate there and the reason that Butina was remanded without bail was the concern that she had packed all her things, moved money overseas, and that the consulate folks looked like they were planning an exfil if she was let go.
Giggity.
Players Yet To Be Named:
I also have to wonder who Person 2 is as well as others out there who had connections and or friendships with Butina. They all must be shitting bricks right about now I would think. One of those people mentioned in the articles I got in my OSINT searches was Cleta Mitchell. I looked her up and wouldn’t you know it, she is involved on the International Foundation for Electoral Systems board as well as seems to have raised the alarm about Russia, the NRA, and money and access being funneled from it to Trump.
I guess she saw it all up close and personal…
I wonder when we will have some more names added to the list and perhaps some indictments or at the least subpoena’s served on this matter. Overall though, this case could be a lynch pin for the Mueller investigation in a couple of ways. Certainly there is the money angle, and Mueller is following the money most certainly. The players here could end up helping the investigation for immunity as well. However, the big thing for me is that in this net of collusion and money, we may see even more republicans touched by this case. It seems pretty clear that the Republicans changed their attitudes toward Russia after the money spigot opened and perhaps this NRA money funnel and perhaps to CPAC will crack open and give us some answers on why people like Nunes and Gowdy for instance, are so available to subverting the constitution in favor of Trump and Russia.
Perhaps they are trying to hide their guilt because, gee, there’s kompromat on them as well.
Maybe some pics of Butina, guns, and naked senators somewhere…
K.
Burning Sources
Of late I have been working on my keynote for Circle City Con and as such been preoccupied with espionage in the digital age. As it turns out the keynote got me thinking about classical espionage quite a bit so the actual burning of an asset (in this case a CI Cooperating Informant working for the FBI) is unfortunately timely. The use of HUMINT in this case to collect information is a key part of the investigation and having this kind of asset burned by demands of the President is extraordinary. Of course others have been burned like Valery Plame, but she was an actual NOC agent! This though sets a bad precedent for the intelligence community and bodes ill for those other sources out there who might want to help us in future.
This is what happens when investigations and agencies are attacked for political gains by those actors who are adept at obfuscations. Of late all of the goings on surrounding the clear attack by Russia against this country and our electoral system have become so politically charged and muddled by active measures on the part of Republican supporters of Trump and his other minions has made me just turn off the news and walk away. It is my hope that this does not escalate further into a full blown constitutional crisis but it is kinda looking that way right now.
As we move forward though, I want you all to realize that these events concerning this source are extraordinary and not the norm for certain. It is only the ability of the president with a will to do so, to break every norm and attempt to subvert the very things that make America “Great” that we have an asset like this burned and likely feeling the pressure of attacks by Trump Nationalists and even perhaps now on the radar of the Russians. Any other circumstance where someone might be a source though on the FBI side may be a bit more safe than this particular instance.
However…
IF you are an asset for the US and you are currently working against any other countries interest, and perhaps particularly Russia, you may be in more danger as it seems that if Trump and his minions have their way, they could leverage this attack against others in thrall to their financial and kompromat masters. It may be time to get your bugout bags and your exfil plans ready…
Just sayin.
K.
Vault 7
See Robert Redford at the top of the page? He’s playing a character who was an intelligence analyst who read books for the CIA. He came back from getting lunch for his co-workers and found them all dead, killed by a rogue CIA operation that hired an outside freelance assassin to kill them all and cover up rogue operations. This is fiction, and YOU are not him. So please everyone just calm the fuck down about the Wikileaks Vault7 dump ok?
RIGHT! Well Wikileaks has done it again and released a dump of CIA exploits this time around. There are quite a few little gems in there and the hue and cry by the genpop has been idiotic as usual. My personal favorite was the epic fuckery around how the New York Times chose to say that some of the exploits “bypassed” the encryption of programs like Signal which sent many an INFOSEC twitter account into a tizzy over “OMG IT ISN’T A BYPASS!” which, by the way, FUCKING CUT THAT SHIT OUT YOU SELF IMPORTANT FUCKWITS! The point of the statement is true, if the software in the Vault7 dump is used on someone’s phone then the CIA is BYPASSING the encryption altogether. For that matter they are bypassing the application altogether! So stop with the self important I AM A GOD DAMNED IMPORTANT PENTESTER AND THE SEMANTICS OF THE HERE ARTICLE ARE WRONG ERMEGERD!
Just stop.
The point of it all is that these tools, if used against you (until they are mitigated by patching and fixes to OS’) will make any precautions you take on those devices moot ok? Arguing over the semantics of it all is just fucking stupid posturing and if you expect the average person to understand what you are saying, then you are delusional ok? Oh, and if you think that the average person is the target of these attacks, yep, you once again are delusional. Specifically, if you are a US person CONUS and you are just the average Joe the plummer, you are NOT the target of the CIA.
Sorry.. I know it hurts your self image but it’s fucking true.
Get over yourselves.
Ok, so that rant is over, now let’s move on to other things about this dump. There’s a lot of techical stuff that will make the wonks masturbate for quite a long time and that’s to be expected. However, I would like to talk about a few other side loaded things happening that you should think about. First off, let’s talk about the dump itself and who dumped it. It seems from what I am seeing Assange saying, is that the dump was given to Wikileaks by an insider who wanted to open up discussion over the pervasive nature of these kinds of exploits against common and deeply penetrated systems in our collective lives. By this I mean cell phones, TV’s and other IOT devices. Now most of the stuff in the dump looks to be from 2012 up to nearly 2016 so it is older in respect to 0day and hacking exploits in many ways. Since they were secret though and they took a lot of time to make sure there were bypasses as well as ways to hide their presence, the CIA’s stuff is still old from a certain standpoint. Within the community one has to offer up the idea that not everything stays secret and those services that cover assets that the CIA might want to bug also have people who spend their time looking for such software right? What I am saying is who knows what has been working well and undetected and what has been detected by a foreign power and counteracted or allowed to use as a means of disinformation. Take that into consideration when you read the dump. Sure the common man here in the world may not know about this stuff and it will blow their minds but in the IC maybe not ok?
Now let’s consider how long this data has been in the hands of Wikileaks and who may have had it before. This stuff may have been in the community at large for a long time. The CIA may have shared this tech with FIVE EYES in some cases but if you look at the headers much of it was NOFORN (No Foreign Persons) so let’s just assume it was inside Langley. If the data was common there, when did it get leaked originally? Who had it in the interim? This goes back to the paragraph above too. If the exploits were working, now we have to wonder if they were being fed bad data by them from an aware adversary (this will play a key fact in the дезинформация part of this post later) given when we think the data was stolen and leaked. The fact of the matter is this, brass tacks I don’t believe a word Assange says from his balcony at Hacienda Ecuador and my money is that this was not leaked by a CIA employee just because they had a change of heart. I personally believe that whoever leaked it is an asset of a foreign power and that power just might be Russia.
Which brings me to the issue of the quick disinformation spin up by what looks to be Russian trolls and bots on Twitter and elsewhere over this last dump. The narratives that are starting to spin up are aiming this data directly at Democrats (including Hillary) and are aimed to cause more friction within the country and our politics. Gee, who lately has been doing that I wonder? The Daily Beast had a good report on this and I agree with Rob that this has spun up way too quickly and too much cohesion to allow for it not to have been in the pipeline before the dump. My meaning is that as we have seen in the recent past with the hack on the DNC and active measures on our electoral system, the Russians have a useful idiot in Assange and the Wikileaks organization. Assange has been another lackey of Putin like Trump and in fact it is quite possible that the leaked data came from Russia by way of an asset inside the CIA. Which then makes the inevitability of a Russian mole hunt at Langley a very large possibility. I bet the polygraphers are all warming up their electrodes as I write this in Virginia.
So, while all you INFOSEC nerds wank off to the sploits just remember these salient points.
- There’s a bigger more subtle game going on here
- YOU are not that important so just take this stuff and work on how to fix it
- Take a beat and remember YOU ARE NOT THAT IMPORTANT
- The CIA is not charter to work within the USA these exploits were targeted at other countries. Just look at FINE DINING for case officers
- Consider what exploits other countries have and are being used that you don’t know about
- PENTESTERS ARE NOT FUCKING JAMES BOND. FOR FUCKS SAKE JAMES BOND IS NOT JAMES BOND!
Look at the bigger picture.
K.
“Wilderness of Mirrors “
With all of the crazed tweets over the weekend from 45 I thought it would be appropriate to acquaint my readers with the notion of the “Wilderness of Mirrors” as James Jesus Angleton put it. Angleton is famous for his paranoia and his actions during the time he was chief of counter intelligence at the CIA from 1954-1975. Today we are in an unprecedented time of national intrigue with our very nations political system at stake with the issues surrounding the hack of the DNC, the manipulation of the US election process, and now the allegations and insinuations that the Trump campaign may have colluded with Russia. All of these things now fall under the auspices of Counter Intelligence in that there are actors within our government that may be compromised and have either been witting or unwitting accomplices to a foreign powers manipulation of our national transition of power. What’s more, these same individuals may in fact be assets of that foreign power while they are in the power within the White House and elsewhere within the new administration.
Take a breath there and contemplate that statement.
We potentially have reached what I personally thought was only a movie plot line as a reality today. There are actual reasons to question whether or not the President of the US today may be a witting or unwitting asset of the Russian state. There may be reason to believe that the minions of the new President may also be assets of the Russian state, and to even make it worse we have seen a litany of lies and half truths given by these people and their dissembling has been caught by the Fourth Estate and held accountable for them. While there is no smoking gun yet, there is a lot to parse out with every mornings headlines in the Times and other papers of record but I would like to lift the curtain a little for you on the counterintel side for you. If you are gonna play this game at home you need a primer on counter intelligence and the ‘Wilderness of Mirrors’
When Angleton made the comment on the wilderness of mirrors he was referring to his own deep paranoia and the nature of counter intel. You have spies upon spies that you must determine who they work for in reality. As the chief of counter intelligence it was Angleton’s job to assume that assets and agents within his own organization were in fact double agents or even triple agents. It was Angleton’s job to seek the truth of what his officers were telling him from intelligence reports and what their assets were saying in a time when the great game was at it’s highest point with the USSR. In essence, and this was his personality anyway, he had to assume at all times there was compromise within his organization and to determine who those assets that were doubles were and were working for in reality.
Now, in the current situation we are going through with 45 and the Russian efforts to destabilize the United States there is no internal mole hunt that we have heard about within the halls of the CIA but, there is a counter intelligence operation going on at least at the FBI concerning all the players we are hearing about in the news and likely other names we have not heard. The current players you know are;
- Paul Manafort (Worked for Yanukovich/Had affairs/Money troubles/Access to slush funds)
- Trump (No tax retturns/business with Russia/Love of Putin)
- Jeff Sessions (Lied about meeting Russian Ambassador twice at least)
- Michael Flynn (Lied about talking to Russian ambassador to Pence and everyone else)
- Carter Page (Business with Russia and seems disposed to them)
- Jared Kushner (Revelations of meeting with Russian ambassador with Sessions)
- Roger Stone (May have handed over DNC emails to Wikileaks physically)
- Un-named others TBD
There are likely more to be named as we go along but you get the gist. The people in the inner circle of the current presidents campaign and those he then added to his administration all seem to have had regular contact with the Russian government pre election and post. Not only are they talking to Russian emissaries but according to the IC, they are talking to Russian intelligence officers. This is not a good thing even if they were unwitting assets of the Russian intelligence apparatus. To lie about these contacts only makes the problem worse for the state and places more suspicion on them all, which leads to the wilderness of mirrors that the fourth estate is amplifying with the reporting (which they should be doing) on the leaks that are coming out of the IC. Leaks mind you to my mind, are a means to an end to get the word out because if they did not, the admin would attempt to bury them forever. To wit, we have agents of foreign powers and people within the admin who are all lying about their connections and discussions. This is a counter intelligence operation and a mole hunt potentially. Do we believe the people who have been sources of the Steele notes? Or do we think that maybe they are telling tales to muddy the waters even more? Since some of these people seem to be dying conveniently are they being killed off by Putin for talking and telling the truth or are they just being killed to muddy the waters some more?
This is how you have to approach this. No one is telling the truth and you have to discern what the truth of it all really is. Who do you believe?
We are in the wilderness of mirrors kids. Look at the news and try to parse out what is truth and what is fiction. It makes it even worse when there are factions out there like Alex Jones and the SVR that would like you to believe wild stories and disinformation campaigns set out to further their own agendas. All of this then, in a completely inconceivable twist today is re-tweeted by the president of this country who often does so as a diversion (one hopes) or actually believes these things (much worse for he may be mentally deranged) which unbalances us all. We are now all in Angleton’s shoes trying to determine what is truth today and this is one of the most destabilizing things happening today to the United States populace and government. I want you all to understand this as you watch or read the news with these revelations. Specifically now that we have reached peak crazy with Trump saying that the former President ordered a FISA warrant on himself and the campaign in 2016. There are many issues here to consider and if in fact the IC had intel that the candidate and his minions were in fact in touch with Russian intelligence ‘constantly’ then what actions would the IC and the president have at their command to take up to determine if this was in fact true?
The recent accusation by the current president may be complete lunacy and the product of his own reading or watching conspiracy sites, or, it may have some basis in fact. In that there may not have been a FISA warrant but instead foreign friendly intelligence agencies, monitoring not only Russia but by their outside mandate, the current president and his people’s conversations “might” have some telling information. Maybe they in fact got the conversations and there was no smoking gun but instead the conversations looked suspect and more digging was required. Perhaps then, some group like the FIVE EYES passed along this information and it is still being worked by the IC here in the US?
‘Wilderness of Mirrors” kids.
Ponder that.
K.
The DNC Hack: SVR? KGB? GRU? Lone Hacker?
Attribution Games:
I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!
“I summon the Russian GRU!”
“I summon the LONE ACTOR!”
“I summon the KGB!”
*slaps down cards on table* TAKE THAT!
The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!
“Whoa”
So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.
So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”
Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?
Metadata and Cyrillic:
Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович) Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!
NAILED IT!
You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…
- Much of the data was stamped out in saving from format to format
- Emails of users though were still embedded in the excel files
- The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
- The image files have no metadata.. none.. niente clean.
- Grizzli777 is just someone who pirates
Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.
*squint.. takes drag of cigarette*
So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!
All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!
YAAAAY!
Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!
It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?
DATA:
Motivation Analysis and Hypothesis
RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…
Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…
- Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
- Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
- If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
- Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
- Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!
So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????
Why Pooty of course!
Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin? *sorry had to use that one* Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.
That’s my theory and I am sticking with it… For all the fucks that it is worth.
I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.
See you all in INFOSEC attribution Hell.
K.
ASSESSMENT: Edward Snowden KGB Asset
THE SNOWDEN AFFAIR:
Since the revelations began and the man without a country odyssey started all of our lives have changed at a fundamental level regarding our digital and private lives. The now million plus document trove is being parsed out by Glen Greenwald and others for the public to get a look into the inner workings of the state surveillance apparatus much to the consternation of the IC as well as the government and the dismay of the public. However you look upon Mr. Snowden and his choice you have to admit that the information does lend an insight into the great potential for abuse of the apparatus that the NSA has put together no matter what they may tell you they are doing or not doing to protect us. You see the point is no matter what alleged safeguards and altruism may lie within the apparatus and it’s employees it’s still ripe for abuse that will never see the light of day because it’s all classified and codified by the government. This is the point of the exercise as I see it from Mr. Snowden’s point of view and the aegis behind his doing what he did. Of course from day one darker minds would make assertions that there were darker geopolitical machinations at play and this was all just a dastardly plan to destroy us as a country. Of course as the passion play played out it was first China, the go to country for all our woe’s of late (APT etc) but as time wore on and Snowden found a perch in Russia, it’s now “clear” to some in the government that the plot was in fact Russian all along.
KGB ASSET:
Mike Rogers has been the bell ringer on the idea that Snowden from the get go was in fact a handled and groomed asset by a foreign power. His most recent bellowing without any real evidence is that Snowden was in fact an asset for Russia from the start and furthermore that all of this was done to damage the US and seek primacy once again on the international stage. Of course as I mentioned already Mike cannot offer any evidence and he alludes to “secrecy” of the data but in reality until you have proof that you can emphatically state and present the people it’s all just wild speculation and a form of conspiracy or propaganda in and of itself. While it is possible that Snowden was from the start an asset of the KGB FSB, the evidence thus far for motive, methods, and follow through are somewhat thin and I cannot go on the record as thinking he was handled from the start by Russia or any other nation state. The fact that Snowden ended up in Russia at Sheremetyevo may in fact be because of the machinations of Assange and Wikileaks brokering the deal to get him there and then to get him allowed into the country not as a plan all along. There is more evidence to say that this is in fact the case then there is of any KGB FSB actions.
OCCAM’S RAZOR:
Using the paradigm of “Occam’s Razor” here let’s run through the possibilities on whether or not the claims being made by Mike Rogers and others out there that this was a carefully planned operation that cultivated Ed Snowden to become the largest leaker in history.
- Ed Snowden is a naive individual who became through a sequence of events, an administrator within the IC networks and began to see things he thought were illegal and immoral
- He used his knowledge of hacking and technologies to accumulate data through his own administrative access and social engineering
- Once he saw the data he decided to leak all that he could and after seeing what happened to Manning made a plan to go to a country that in all the spy novels is easy to infiltrate and ex-filtrate out of
- The NSA itself had poor OPSEC and threats from insiders were poorly covered thus making this possible (proven to be the case)
- The NSA could not even keep track of internal access and exploitation (proven to be the case)
- He contacted the press and was turned down by some until he met Greenwald and Poitras who then planned with him how to release the data and to firewall Snowden off
- While in HK it became clear he could not stay there once the NSA/USA/UKUSA and other apparatus began working in the background to extradite him
- Poitras, Greenwald, and then Wikileaks ex-filtrated Snowden out of HK and to Russia where a brokered interim solution of the airport no mans zone was at least possible
- Snowden is a prize for the
KGBFSB after the fact from not only an intelligence perspective but also a political one that thumbs its nose at the US (a win win for Putin)
- Edward Snowden was a carefully orchestrated long term asset by the
KGBFSB trained by them to infiltrate the NSA and then use his domain admin/root access to steal them blind, exploiting their logical and technical vulnerabilities who they then ex-filtrated to HK and to Russia as a smoke screen for their own operational cover
- Snowden was handled by
KGBFSB for years while coming up the ranks as an UN-credentialed cleared individual clearly taking advantage of the US’ lax clearance and oversight process post 9/11 - Snowden was in contact with Russia from the start and is a consummate operator perhaps even a cleverly created cutout sleeper agent
- Once gathering all the data Snowden then passed it to Russia for them to digest and then leak to the world to cover their own operations and shame the US
- Snowden is now a hero of the state in Russia and will get a hero’s treatment with access to all that Russia can offer in the post Soviet Oligarchy (inclusive Anna Chapman visits)
Hmmm is it just me or does the razor only really cut one way?
ANALYSIS:
My take on the whole affair is that Snowden was not a paid/cultivated/handled asset of the KGB FSB nor do I think that he was aided in any way by Russia in carrying out this leak/exploit. What I do think is that he is naive but also that what he was seeing, what we are all now seeing today in the news made him feel that the accumulation of power in a central secret body was anathema to freedom and the American ethos. As we have seen in the news there have been many things that the government has allowed, even shall we say promulgated, that are clearly violations of the US Constitution no matter the inveigling that might occur by those in power as to it’s legality. So I for one can see why someone like Snowden might do what they did outside of their own propensities for spy novels and a sense of right and wrong.
The realities are that no matter the attestations by those running the programs and their need to use them, there is always a chance of their abuse and subsequent burial of the facts through classifications and National Security letters as we have seen these last years. Were egregious abuses happening and are they still today? I am sure there are some, after all this is nothing new and all you need do to confirm that is Google “Quis custodiet ipsos custodes?” or look just to recent history with the Plame Affair to see how abuses can and have happened. So is it really outside the pale for someone with a conscience and perhaps an overactive imagination to think that great wrongs are being committed in all our names? I think that while there may have been no abuses “may” I also think that the capacity for abuse and the infrastructure to hide them is easily seen within the current architecture of the IC apparatus of the NSA and their programs. After all, if you want to ask about the idea that if you have nothing to hide you have nothing to fear, I ask you to tell me just exactly how you feel every time you go through a TSA checkpoint at the airport today.
Finally, I would also like to touch on the idea that the governments own hubris and now embarrassment is firing the boilers on this whole blame game that Snowden is in fact a handled asset of the Russians. I think that the NSA/USGOV and IC community feel the sting of their inadequacies as they have been laid bare for all to see. You see, Snowden did not carry out some 3l33t hacking here to gather the data. He used common techniques and vulnerabilities within the NSA and other government IC bodies to steal data and put them all on a USB stick and then walk out with them. It’s a simple trick and the top of that list is actually just socially engineering people for their passwords within the confines of the most secretive and secret IC shops in the world. Now that has to sting a bit wouldn’t you agree? So there is shame all around here on the part of the government and it puts them all in a weak position tactically. The reactions of all those at play seems to be more along the lines of dialogue from a playground spat rather than state or spycraft and it’s sad really. As the immortal words of GW Bush can attest;
“There’s an old saying in Tennessee – I know it’s in Texas, probably in Tennessee – that says, fool me once, shame on – shame on you. Fool me – you can’t get fooled again.”
To me, it seems that Snowden just did what he did because of a myriad reasons that also include a certain amount of self aggrandizement. However, I can point to things in our own history and to popular media that may explain why someone might do something like this on the grounds that they think it’s illegal, immoral, and against the tenets of the USA. While POTUS is right about how important these types of programs can be in the war on terror and the every day intelligence gathering that every country needs to survive, it should also be possible to have some level of oversight to disallow for abuses of power to happen and happen with great frequency due to over classification. These are fundamental changes that should occur but the reality is that the very nature of the work being done and the culture within it’s halls will stoip any real progress being made. In the end nothing will change and the NSA will continue to collect all the data it can like a giant hoover-matic for later sorting and use.
Having grown up in the era of Nixon though, and other revelations like Iran Contra, I for one not only know that these things will continue to happen but that they have in the past and should be in our collective consciousness. Unfortunately many do not remember and the only entree into such ideas may in fact be cinema… I leave you with this scene from “Three Day’s Of The Condor”
Not everything in cinema is just fantasy…
“scr hrw lgihr kzpzz cwl nci pjwt”
Book Review: An Introduction to Cyber-Warfare: A Multidisciplinary Approach
IJPFRH CPAGP EIIL!
CYBER CYBER CYBER!
CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”” is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)
The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.
I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.
As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”
I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?
IW (INFORMATION WARFARE) RUSSIA
The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.
In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.
OUR CHINESE OVERLORDS
Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.
The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.
ANONYMOUS/SEA/LULZSEC
Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?
Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?
THE GRID
OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.
It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.
WHAT’S MISSING?
All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?
I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.
OVERALL TAKE
Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.
We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..
K.
Krypt3ia 