Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘.mil’ Category

Bellingcat: OSINT Playing Games Where People Tend To Get Burned and Dead

leave a comment »

 

Recently there has been a lot of hubbub about Bellingcat pivoting from tracking military movements and downed planes to exposing GRU operatives who have carried out poisoning operations in the UK. Personally I have watched with a mix of trepidation and angst over what they have been doing recently with the liquidators they have fingered for the Skripal poisonings. I have mixed feelings on all this because while I think they may in fact be right, they could also be being used by their “sources” in Russia as well as possibly be used in future to their detriment by Russia and other nation state services for disinformation operations. Even worse, this group and their OSINT could in fact get in the way of real operations by those same services of friendly nations and could endanger themselves if not others in the field by dropping these bits of intel.

OSINT is a new flavor of the day in the information security world but it has been a long standing practice in certain circles in the other community. The difference here is that the OSINT carried out before was by trained individuals within the intelligence community and not put out for general consumption for the world at large. Today, we have Bellingcat dropping all kinds of data that may or may not be correct that is messing directly with operations by a rogue nation (Russia) and a dictator (Putin) that has no compunction about just killing off the people who oppose him enough to cause him heartburn. This is the big difference here and I just want Bellingcat to take that into account as they do what they seem to be doing with regard to GRU ops. As far as I know, the people who work for Bellingcat are not former intel community, maybe there are some, someone can let me know, but you have to consider that the majority of the people there are not spooks and might be out of their depth in this regard.

Additionally, I would like to reiterate that these discoveries could be actually disinformation provided to you all by services like the SVR to hurt the GRU too. In the world of espionage you are forced to live in the wilderness of mirrors kids. Intelligence analysis is a real art and I am just not so sure your carrying it out completely with these dumps on the GRU carefully considering that fact. Just please consider that you are being played now and if not now, you will be in the future to your detriment by nation state actors for their own goals. That said, please take everything some group gives you so handily, even if the data is in fact correct, as a possible dangle or disinformation operation before you just dump it to the BBC.

Lastly, let me just say again in rather plain language, playing this game can get you dead. Russia is at a point with Putin that they just don’t give a fuck and if you are in their way, and enough of a problem, they will destroy you or kill you. Just look at Sergei and his daughter! Or for that matter, look at Anna Politkovskaya, Alexander Litvinenko, and more than a few other impediments that Putin got rid of. It may not happen now, but I can assure you if you piss them off too much, you will get their unwanted attention.

Just a caution….

Oh, and while I am talking about deaths, it seems that a relative of one of the assassins has been perhaps made missing or killed in Russia as well. So, you all have to consider the possibilities of your hubris in what you do in the form of innocent collateral damage to others.

Just sayin…

K.

Written by Krypt3ia

2018/10/09 at 20:18

Posted in .gov, .mil, OSINT, Spooks

Defeating Disinformation

leave a comment »

This tweet came up in my feed this morning and it got me thinking. There has been a lot of talk about how disrupting or denying the sources of disinformation could put a stop to it altogether. I for one have not been a proponent of strictly technical solutions to this because they never will work fully and while you can play whack a mole with fake news or disinfo operations, it will always propagate with those who have the cognitive bias and dissonance. What I mean by that is that the mind virus that is fake news or disinformation is just that, those who are disposed to it will propagate it if not create it out of whole cloth for their own reasons be they financial, cultural, or psychological.

While it has been shown that if you give those predisposed to these narratives, the truth once or twice they do not come to the conclusion that they are in fact falsehoods. In fact, the studies thus far have shown that you must repeatedly bombard those individuals with the truth (truth bombs heh) until they actually accept the truth. So, unless you can force these individuals to accept “truth” via other channels than the disinformation feeds, you will have little luck in stopping the disinformation from doing it’s harm and being magnified by those predisposed to their belief in them.

So, what I am saying here is that once again, the technology will not be able to stop the false narratives. The technologies today short of a truly Turing compliant AI that is plugged into the internet as a whole, will not be stopping the disinformation never mind those campaigns of falsehoods by the likes of an Alex Jones because they will be passing them in email, news sites, comments in sites, texts, tweets, over the phone, over the air, …everywhere possible. The reliance or thought of reliance on technologies alone to save us from all this kind of warfare is patently naive. The psychology of why disinformation works and how these things propagate WITH the technology is where we need to focus. More so we need to focus on the psychological aspects in relation to how we might leverage technologies to get the truth into the right minds with repeated viewings is key. Alas though, I fear that this is not what many in the technology space are considering and are relying on algorithms instead of focusing on the animal behind the keyboard. Until we do this I am afraid we are quite doomed to failure.

I also began to parse this tweet out a bit as well on the hacking versus the disinformation campaign. It is quite clear that the hacking and the dumps of information were at some level laced with disinformation but not as a whole was the hack a part of the disinformation campaigns by the GRU. While “not getting hacked” is a good start, the real problems came from other sources and in fact when I looked at the DC leaks stuff and the claims I did come up with some gold that the data did not come from the Clinton Foundation, but instead was DCCC and DNC only to the contrary of what Guccifer 2.0 wanted people to believe.

So yeah, the information being hacked surely added to the mix of disinformation out there but it was not a main contributor to it. Overall, the problems of disinformation rely much more on the psychology of the tribes at play now and the cognitive issues we have within them than the hacking ever did. It turned out at least in the Clinton campaign there was no real “there” there to latch on and make her look even worse with an expose of wrongdoings. The most we got was that they were treating Bernie poorly but really, that was it.

Where were the Benghazi revelations?

Where where the revelations that she and others were running a pedophile ring out of a pizza parlor in DC?

Where was the absolute proof that Clinton had ordered the murders of a number of US citizens and in fact was funneling monies around to places like Panama?

Oh yeah, there were none and this is the reason why the others out there including the GRU and the SVR were creating those narratives on Twitter, Reddit, and elsewhere for those predisposed to those mental virus were living and ready to echo the message to others. When the day comes that we see a dump of information that has been tampered with well enough to detect forensically, then we can parse that out a bit and prove out that a hacked dbase was the cause of disinformation like some of the DC leaks stuff tried to be. Other than that, the two roads do not meet in my book.

The technology is the amplifier but the humans behind the keyboard are the real engines here.

K.

Written by Krypt3ia

2018/07/16 at 16:58

Posted in .gov, .mil, 2016, 2018

Eugene and the DoD

leave a comment »

Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…

Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…

Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?

Fuck you.

FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.

Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?

Imagine that Eugene’s software is clean as a whistle.

Now imagine that it is sitting on many USGOV and MIL systems.

Now imagine that all that telemetry from those systems is going to RUSSIA.

Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”

Think about that hacker kids.

Think about that you spies too.

You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?

So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….

So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?

Yeah neither do I.

K.

Written by Krypt3ia

2017/07/03 at 16:38

KONNI: Malware Campaign Inside Pyongyang

leave a comment »

So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.

  • The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
  • The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
  • One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
  • The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
  • The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
  • All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
  • HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
  • The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
  • MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file

Conclusions:

What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.

When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had  the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.

I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.

All of these questions beg another question….

Do we know for sure these were aimed at DPRK embassies/personnel?

Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.

Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?

Come on, you can tell uncle Krypt3ia!

SAMPLES:

Ask for them and we will work out a transfer method

LINKS:

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.htmlhttp://www.threatcrowd.org/domain.php?domain=phpschboy.prohosts.orghttp://www.threatcrowd.org/domain.php?domain=jams481.site.bzhttps://www.google.com/search?client=ubuntu&channel=fs&q=7640894b9a61e533646067bc542f04f2&ie=utf-8&oe=utf-8https://www.reverse.it/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1https://www.hybrid-analysis.com/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1&lang=idhttp://www.threatcrowd.org/domain.php?domain=dowhelsitjs.netau.nethttps://www.threatminer.org/sample.php?q=ed759d5a9edb3bba5f48f243df47be29e3fe8cd7https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdfhttp://www.threatcrowd.org/domain.php?domain=pactchfilepacks.net23.nethttps://www.hybrid-analysis.com/sample/94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5?environmentId=4&lang=zhhttps://www.hybrid-analysis.com/sample/69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0?environmentId=100https://malwr.com/analysis/NWJiY2EwOGE3MjUwNDg1ZjhlZmY0MjdlMzc2MDQzYzc/https://www.virustotal.com/en/url/4b273842b1731390c837c10d9b59e76eb974ac8eeff961c186c64ef3309430f0/analysis/1494269840/https://www.virustotal.com/en/domain/a.yesadsrv.com/information/http://www.threatcrowd.org/ip.php?ip=31.170.160.129

Written by Krypt3ia

2017/05/08 at 20:16

Posted in .gov, .mil, APT, DPRK, Malware, Phishing

Prosecuting The Russian Cyber War: Beyond The Hyperbole

leave a comment »

screenshot-from-2016-12-19-13-42-28

This weekend my father actually asked me what I thought Big O was gonna do to respond to the hacking of our elections. He continued in the same breath to ask if we were going to take out Russia’s grid or something like that. My first thought was to say “Noooo” and to then explain to him how that might go all kinetic real quick like on us if we did. My response to him yesterday will be the genesis of this blog post today for you all. Since everyone seems all hot and bothered as to how we will respond and not giving Big O the benefit of the doubt that he actually reads the PDB’s and thinks about them, I will boil it all down to what I would do against Russia and Pooty to thread the needle and not cause an escalation.

First:

I would undertake the review on what exactly happened with the IW/DISINFO/PSYOP/Hack that took place for the election. This is important to not only understand what happened, but to understand just how much damage was done and what actions it took to set that into motion. From this you can assess the response level you need and in this case it has been rather speculative as to what really went down. This I also really point at the whole argument that the election machines in key states may or may not have had some supply chain tampering going on. So far I personally have seen no evidence that there was enough of an investigation to rule this out.

Second:

I would look at the capabilities we have and the intelligence we have collected on Putin. Intel such as a good psych profile and anything on his wealth/business structure. With both of these I would seek to discern what would hurt him personally, not so much the country. I would also use the psych profile to determine in red teaming out what his responses would be to certain scenarios. In essence I would perform a game scenario simulation to get the best results for us and start to build a plan(s) on those.

Third:

I would, knowing that this attack was personal for Pooty, and given his nature (much like Trumps really) I would perform the following actions;

  1. Attack his finances. All of the dirty ones first.
  2. Attack him with whatever kompromat we have (CIA/NSA) in the same leaks style that we saw from the elections (See news today about Tillerson for a cue)
  3. IF we have the assets in place both digital and “other” I would work to counter ongoing efforts in Germany and France as well as other places where we know he wants to do the same thing politically

These are the things I would do in parallel to assessing the damage to our forward capacities regarding the ShadowBrokers recent tease. IF all of those exploits on there are real, then all of them have been compromised and burned. Any operations that may have used those tools are burned and any future use of them has been burned. It is my opinion that the new events with the ersatz “Boceefus” account is just Pooty and the GRU saying “Try anything and you will fail” but that is only one dimensional thinking frankly. It is time to go beyond bits and bytes and also use HUMINT.

Just this guys take…

K.

Written by Krypt3ia

2016/12/19 at 19:05

Scenarios on Outcomes from Russian Information Operations on the US 2016 Election

with 2 comments

1016374513

Assessment Goals:

With all that has been happening with the disinformation and influence operations during this election cycle I thought it prudent to thought experiment out some scenarios if Russia or any other adversary with the means, decided to attack the election cycle in other ways. One might ask right now what benefit would other countries like Russia gain from such operations and you would be right to ask. That is a question for another post but suffice to say that if Russia is indeed tampering with our electoral process like they have in others, then the reasons are geopolitical and very much Putin’s aegis in ordering the SVR and KGB to carry them out.

The goal here is to just lay out the attacks that could happen simply and then give you the likely outcomes. All of these are not as comprehensive as you might find in some think tanks like Wikistrat but you get the idea. All of these attacks are possible, and they do not have to all work completely to have secondary and tertiary effects on the US population and political system. Please read through them and ponder yourselves how would you react if these happened? How would the general populace? Would government be able to carry on? If the election cycle is broken and the systems not trusted, how would one re-set the vote and how long would it take?

Interesting times….

SCENARIO 1: VOTE TAMPERING

The voting machine have been tampered with electronically or code has been inserted. The potential for votes being tabulated incorrectly or data tampered with is possible but not probable in the grander scheme in the US according to sources. However, this does not preclude a way found to insert such code or physical devices in key states. It is also not impossible to have assets in play such as sympathizers or outright KGB assets on the ground helping to tamper with the results. I will not go into the details because this is a scenario to start but it is also not the point. Let’s just assume ways have been found to tamper enough to call the electoral data into question via tampering directly with the systems.

POTENTIAL OUTCOME:

  • Trust in the election system is diminished
  • Recalls are called for by both candidates and the public
  • The electronic systems will lose public trust and a re-assessment of the process will be mandated

SCENARIO 2: VOTER ROLLS TAMPERING

Scenario 2 is based on recent events. The hacking of the rolls databases in key states could be an attempt to manipulate the data and cause secondary issues with that data on the day of the election. The posit is that the adversary has tampered with people’s voting preferences data. If you are a republican they can change that roll to the opposite party and vice versa. Additionally what if a users region or address were changed surreptitiously? To date there are no systems that I am aware of that will email you when a change is made to your voting status and how many people check before they go to the polls? This is a common tactic that has been used in gerrymandering an election area by disallowing voters from voting on the day of the election. To date, the FBI has not been able to determine what the hacking on the voter databases was about and this could be one of the goals.

POTENTIAL OUTCOME:

  • Voters are unable to vote once they get to the polling place.
  • Voters are not allowed to correct these records and are thusly negated from the process
  • Attack key states once again, going for the electoral college and you can change the outcome of an election
  • All of the above once again have the amplification of causing distrust of the system and damage to the election
  • The candidates and the people are left with a recall and with the system being manipulated already how can they trust it?

SCENARIO 3: DISRUPTION OF THE PROCESS ELECTRONICALLY

Russia has attacked the Ukraine elections by inserting malware/code into the election machines in 2014 that effectively bricked them. If such an attack code were placed and propagated within the American voting systems the disruption would cause the election to be halted and emergency measures taken. Perhaps the election might try to carry on with paper ballots but I am unsure the process can be that effectively nimble. If the election systems are down, since they are of varying makes and models of machines, the time to return of service would be long, causing more FUD to the elections process itself.

POTENTIAL OUTCOME:

  • Voters are unable to vote or the process takes so long that they walk away with a more analog process
  • Trust in the electronic system would be degraded or destroyed
  • The election cycle would be likely broken and emergency measures would have to be employed (contingencies)
  • Continuity of government is challenged

CONCLUSIONS:

These three scenarios to date, have not been covered I believe. This post comes to you as the fruit of a discussion I had with @SteveD3 and I believe that in our current atmosphere of information warfare and influence operations carried out by Russia, one has to take these thought experiments out for a drive. All of these scenarios are possible and will have the effects of denial, disruption, and degradation to our election systems and the stability of the nation. It need not render the election completely in the favor of one or the other candidate conclusively to cause faith in the system and its outcome to be questioned. Imagine if you will, as Trump has already been saying repeatedly, that these tactics are used and the general populace believes that the election has been rigged? With or without the hand of the Russians, others could be easily blamed by a candidate like Trump and his followers. The outcomes from this could lead to civil unrest and other worse things if they came to pass with the help of information operations attacks by another nation state.

I suggest you red team these ideas yourselves and see what else you can come up with…

Written by Krypt3ia

2016/10/11 at 14:20

Q4PZNWNO56KOPHGWWZEK64S This Is Collapse Out.

leave a comment »

Screenshot from 2015-10-19 10:11:05

Last weekend a burst of four broadcasts on two short-wave channels caught the radio geeks ear and being one of those radio geeks I thought it interesting enough to write about them. On 10/14/2015 into 10/15/2015 the channels 8992.0 kHz and 11175.0 kHz lit up with the four messages recorded below. What makes these of interest are that these are the EAM (Emergency Action Message) channels and for the most part they remain rather dormant. This weekend though they were spun up with some interesting numbers station like activity. You can take a listen to the messages below and read the Russian site that I found talking about them as well.

1. COLLAPSE message one: http://vocaroo.com/i/s1hGyA2GR6HI
2. Collapse message Two: http://vocaroo.com/i/s1ETZ3l9fp0G
3. Collapse message Three: http://vocaroo.com/i/s03ZI6ui70LY
4. Четвертое сообщение было передано станцией “FLATTOP!” ( Еще одна станция которая не вещала в течение многих лет): http://vocaroo.com/i/s01smhgkyNDL

Screenshot from 2015-10-19 10:16:05

Screenshot from 2015-10-19 10:21:31

Now allegedly the last time that these were heard being used were a long time ago with sporadic calls being made by planes with no answer. So an actual EAM message is of interest to those of us paying attention to it. In this case I can elucidate some on the calls being made that were heard this weekend and add a bit of context. In the case of these messages, the timing plays a key role. It seems that this weekend Putin’s forces were making runs into Syria again and this may be the reason that this EAM channel was spun up. The call signs COLLAPSE, RING DOVE, and FLATTOP are all the bases making the EAM. The coded text you hear them uttering is just that, coded text, and it may be a frequency to tune to for encrypted comm’s or it may be just a word or two. This is the basis of what is happening here. It seems that whoever and wherever our personnel, likely in the air, were getting orders to perhaps avoid running into trouble.

That is just a supposition though…

Of course given that there has been a lot of action lately including Russian planes getting into our and others air space…

http://www.wsj.com/articles/russia-says-jet-fighter-approached-u-s-aircraft-over-syria-to-identify-it-1444827032

http://www.express.co.uk/news/world/612828/Turkey-threatens-shoot-down-Putin-s-planes-drags-West-war-Russia

http://english.alarabiya.net/en/News/middle-east/2015/10/16/Turkish-military-an-aircraft-of-unidentified-nationality-was-shot-down.html

Keep an ear on those channels kids.. Shit is getting intense.

K

UPDATE: This code name was used before in 2008

2032z 25 Dec 08 11175.0 was active at 2027z with COLLAPSE (strong to good levels here) bcsting a 28-character EAM (Y23NIJ) preceding OFFUTT‘s 2029z HFGCS bcst of same. COLLAPSE was strong enough here to punch through OFFUTT’s good level bcst. Despite COLLAPSE’s signal strength on 11175.0 nothing was heard on 4724.0, 8992.0 or 15016.0

Written by Krypt3ia

2015/10/19 at 18:38

Posted in .mil, Numbers Stations