Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Propaganda’ Category

Russian Active Measures: Propaganda, Targeted Ad’s, and The Mob

leave a comment »

Handbook of Russian Information Warfare 2016

 

With all the talking heads on CNN expounding on the ad buy’s in Rubles and the oblique presentments by the senators yesterday on the Russia collusion investigation on C-Span, I felt the needs to drop some knowledge. All of these measures are not new but it seems like the general populace, the government, and the media all cannot comprehend that fact. Propaganda has been around since the dawn of civitas and today it is just more able to be used more nimbly in our hyper-connected society. With the advent of social media, the use of propaganda has been been turned into a more precision tool using demographics, analytics, and a medium that engenders itself as a new asymmetric warfare tool and this should be no surprise to anyone.

Propaganda has long been a tool for the radio, print, and television media to be paid and or tricked into releasing content that serves one of the political masters out there. However, the new wrinkle is the heuristics of computing and social dynamics data thereof of all the data points that we now collect on everyone who is using the internet or sites like Facebook, Google, or Twitter. So much information is collected today that it is possible to accurately determine how a person thinks and acts given their preferences and their secret activities that are seen by the algorithms inside these systems. Unless someone today takes greater pains to obfuscate their activities, companies, and governments can easily mine that data for ammunition to create such things as the black propaganda we saw used in the 2016 election cycle here. Since people really don’t pay attention to the other countries out there, they too would have seen the same measures used in places like Ukraine if they had been paying attention.

Previously I had posted about such measures in Ukraine that included the whole cloth creation of a media company to manipulate the populace there with propaganda as well as the use of malware to spy on the populace. Today I am covering the precepts of the use of our own systems of social media as well as our collective group psychologies to sow chaos. Given the outcomes in the 2016 elections and the continued attacks on our psyche’s by Russia post election we now have a pretty good idea of how the dynamic works. One must though take into account that human nature plays the largest roll in this type of warfare for it is the base of the equation that the Russians are trying to manipulate. The targeting of ads to key states and cities was just a targeting mechanism to the overall more targeted PSYOPS operation that was at play. The Russians parlayed the divisions within the US by creating echoes within already nascent echo chambers for those who are of like minds on social media systems. Once the psychology was worked out it was just a matter of locating those pockets of people and then creating the media (e.g. fake news) to feed into those systems and agitate those people into a frenzy.

Once again, human nature was keenly leveraged to sow chaos as well as being a vehicle for those noise to signal messages (dog whistles) for the believers and I can appreciate that. Frankly I am in awe of the techniques used while at the same time I am concerned that there are no real ways to mitigate these kinds of attacks due to that said same human nature. We all have our bias’ and we all ascribe to our own echo chambers whether we do so consciously or not. Social media in itself is the perfect medium for this and we just fall into place as the lizard brain takes over. So when people today ask the questions around how to combat this type of thing I often say that there is no real way to stop it. We can of course use people to look at ads like Facebook is doing now, having hired or in the process of hiring thousands to do so. Or we could just look at the ad buys and insure that they are not being paid for in Rubles… But these means are clunky and the adversary has many other options so in the end it will not work.

The ongoing Senate investigation into collusion and the Russian active measures campaign in 2016 has many people also asking specifically about the targeting data. Did the targeting data come from the Trump organization? Well, yeah, it may well have come from them or it could have just been collated from online searches and a working knowledge of the electoral system. You see, this attack was simple enough to calculate if you wanted to attempt to win the electoral college. One can Google the states that are key to winning the electoral vote but it is the fact that it seems the targeting went down to actual names and addresses that matters. I for one would be asking Cambridge Analytica about that data and how it may have come into the possession of the Russians. Now it is possible that the Russians had their own parallel program for this, or it is also possible they hacked into Analytica for it, and as far as I am aware of no one has asked for a forensic analysis of CA’s security there. Of course the data could have been handed off by someone like Paul Manafort as a quid pro quo (black caviar) right? Or perhaps it was Jared as a means of paying off his Russian friends in hopes of a loan to cover his bad real estate debts? I also think that it is possible that the rolls hacking that happened in the same time frame could also be the answer to this. It is possible that all those rolls were copied, sifted, and used for targeting of propaganda at the final stage of the race to the White House.

At the end of the day though, the problems of social media, cognitive biases within the populace and the mob mentality that humans tend to fall into (Republican/Democrat/TeaParty) will not be going away. We are creatures of habit and limited by our own brain biology. Do not expect that knowing that there is a propaganda campaign will stop those willing to receive it from buying into it whole heartedly. Social media isn’t going away anytime soon and the idea of algorithms being the key to stopping this is a falsehood. It all really just matters how you consume this media and how you react to it. If you fall into the echo chamber of cognitive bias or bent, then you will likely become a part of that machine and not be able to separate the truths from the bias truths that you personally ascribe to. So when you all ask how this happened remember that we are the culprits, the people.

K.

Written by Krypt3ia

2017/10/05 at 14:51

RULEAKS: Russian Media and Disinformation in Ukraine by the DNR-ONLINE

with 3 comments

INTRODUCTION:

Back in December I located a dump of data on the darknet placed there by a hacker collective in Ukraine called RUH8. The dump is rather good sized and all come from Russian backed Ukraine sources. RUH8’s dumped one group in particular that I was interested in because I located a piece of malware in the email spool that, once run through the usual tests, showed to be something not widely seen before. I will cover the malware further down the article and will include IOC’s but once I harvested the email spool itself and began to get things translated things got even more interesting.

Once I mirrored the site I got some help from <REDACTED> and set to work in translation of emails and documents attachments. Most of the bulk of the dump is average emails concerning daily business but a few began to tell a tale of the company that the emails came from and how it was in fact a Russian front organization created for propaganda in Ukraine and used to manipulate the populace in the Donetsk People’s Republic (The Russian separatist area of Ukraine) and those outside it including other countries outside of Ukraine.

Having all of this come to light just after the election win for Trump, and now coming out here in the midst of the Russian intervention and collusion investigations today, I thought this report would be prescient and give a rare insight into how the Russian propaganda machine works, how the intelligence apparatus of Russia works in this respect, and perhaps bring to light a new piece of malware for everyone to see.

THE LEAK:

The leak by RUH8 in the darknet consists od more than a few entities email spools as well as individuals that they have described as assets of Russia. In the case of this post the data comes from the domain dir-online.ru. This is a media org in Ukraine that is Russian backed and as I said before caters to the Donetsk People’s Republic. Within the dump there are many documents covering the day to day but five documents stood out amongst them all (frankly there are more to be analyzed and one needs Russian speakers to translate them all) as being all things shady.

RUH8 is also the group that hacked and dumped “The Grey Cardinal’s” email spool as well. Having gone through that spool I did not find any malware of merit or anything that was new so I moved on in mirroring and checking for goodies. They keep adding content to the site too so I would expect eventually I will locate some more goodies in the future. Keep an eye on the blog for more when I find it. The Grey Cardinal though is an interesting figure and I recommend you all read up on him as well.

THE PROPAGANDA PLAN:

Right, well on to the good stuff! The following documents found in this dump show Russia’s machinations at propaganda in Ukraine, well, at least this small slice of it.

DOC1

From Translator: This talks about “anti-Russian hysteria” in the media and about disinformation and fake news that makes Russia look bad. And also that pro-Russian voices are accused of being agents of the Kremlin. To counter this, this document outlines a project to create a pro-Kremlin media campaign in the Ukraine that includes a budget for hiring journalists and buying equipment like computers and voice recorders, a budget for freelancers and “insiders”, Website hosting, web administrators, editors, advertising, The amounts — which are, for some reason, in US Dollars, are $9,250 for initial set-up expenses, and $38,280 ongoing costs. Those could be monthly costs — the salary of a full-time journalist is listed at $2,000, and that’s likely to be $2,000 a month.  The editor in chief, who’ll be based in Kiev, will get $2,500 a month. Hey, their freelance budget is $6,000 a month! 

DOC2

From Translator: is a little disturbing, since it outlines how the anti-war movement in the Ukraine can be used for pro-Russian purposes. For example, the idea is to create a picture of the leaders in Kremlin as corrupt power-grabbers who are using the war in eastern Ukraine to distract everyone from their own problems. Russia’s invasion of eastern Ukraine is just misformation from Kiev. Sounds totally legit.

Oh, and I figure out why it’s all in US Dollars. Hah, this is funny. Way back when I was based in Russia — something like 20 years ago, when the Soviet Union had just collapsed, inflation was rampant. Stores had to change the prices on all their products several times a day! To deal with it, they all switched to using Dollars or Euros instead, the traitors! To fix the problem, instead of fixing the economy, the Russian government outlawed the use of foreign currencies on prices. So what the stores did was switch to using something called the “arbitrary unit” — which just happened to be worth as much as the dollar, by pure coincidence. Ever since then, this “arbitrary unit” has been the default price. It particularly convenient during inflationary periods, or when dealing with local currencies in different republics. Plus, everyone knows what it means. So, in this document, they use the term “arbitrary unit” and in others, they seem to have just used the dollar symbol instead.

Also, I can confirm that the ongoing expenses are per month — they spelled that out in this budget.

So anyway, this is another juicy document. They’ve put together a budget for running a fake anti-war grassroots organization.

Initial costs are $79,200 for things like computer equipment, recruiting, registering domain names and getting business and media licenses, and website design. It’s interesting that in both this budget and the previous one I looked at, they’re careful to get all the permits and licenses in place. They might be trying to undermine the government of a foreign country, but at least they’ve got all their paperwork in order!
Then the ongoing expenses are $86,000 and include salaries for regular contributors and freelancers, salaries for editorial managers and copyeditors, a financial manager and their deputy, $2,000 for a lawyer, $20,000 for online advertising, and $10,000 for promotion on social media like Facebook and VKontakte (Russia’s LinkedIn).  

They’re expecting 100,000 unique visitors a day on weekdays.

It’s interesting they note that they’ll be playing games with the tax status of their employees — like in the U.S., there’s a difference between paying people as staff (where the employer has to pay a chunk of the taxes) and as freelancers (where the poor schmuck has to pay for everything). Also, in Ukraine, folks living in the disputed territories don’t have to pay taxes. They’re saying that they can save 40% as a result of playing around with this, which they claim is common practice in the Ukraine.

So not only are they undermining a foreign government, but trying to avoid paying taxes while they do it! I don’t know which is worse.

Document docxk7EDEjG06i is a plan for creating a major national media outlet from scratch. It will take $347,640 in startup costs, and about $146,500 a month in ongoing expensies. Total costs, for an eight-month period, are $3.82 million, including advertising costs, and other related expenses. Again, they’re playing around with the taxes. And they’re expecting to get a quarter million visitors a day on weekdays.

This one also has a budget for protection against DDOS attacks. They estimate that this will cost $2,000 a month (including the site hosting itself).

They also plan to sell advertising here, and have an ad sales department, and the editor in chief’s salary will be $10,000 a month plus a share of the ad revenues.

That’s not too shabby… Then they’ve got some projections for costs and revenues after that first eight-month period, which is interesting for those of our readers who plan to launch an online magazine in the Ukraine…

DOC3

From Translator: This is super evil. I’m really impressed! The idea is is to create a pro-European, anti-Russian website — with the underlying message that the Ukraine will be better off without those annoying eastern provinces, and let Russia have them, so that it can enjoy its wonderful European future without them dragging the country down. So, again, they have an editorial budget. $69,900 in setup expenses, $65,000 a month in ongoing expenses, and plans to reach 100,000 readers a day on weekdays.

DOC4

From Translator: This is a plan to create a news site to cover the conflict in the disputed territories, because people are hungry for war news. The idea is to make it seem objective and independent, but slip in a pro-Russian point of view. So they’ll use terms associated with anti-Russian reporting, but slant the coverage to make Ukraine look bad. Yicch. Startup expenses: $97,200, ongoing expenses: $126,500 per month, expected audience: 120,000 unique visitors a day during weekdays.

DOC5

From Translator: This is an analysis of the Ukrainian political system and how a lot of work is done by “shadow” organizations in government. There don’t seem to be any action items here.

DOC6

From translator: This is an overview of the Ukrainian media climate, and on how anti-Russian it is, and blames Western advisers for some of it.

So here is the context from these documents from the translator for you…

From Translator: These emails seem to have been sent to Georgi Bryusov, who heads up Russia’s wresting federation, and are in reference to a meeting with “PB.” I don’t know who “PB” is.

Bryusov then forwarded them on to Surkov.

So, how likely is this?

Well, I spent a some time covering a similar conflict in Georgia, where there was also a “separatist” province, called Abkhazia, and the conflict there was used to put pressure on the Georgian government. Although it was supposed to be a purely local, homegrown movement, Abkhazia — which didn’t even have an airport — somehow had fighter jets and bombed Georgian-controlled areas with them. (I was in one of those areas with a group of UN observers while it was being bombed. Fun! The Georgians shot down one of the planes which … surprise, surprise! … turned out to have a Russian pilot inside.)

Russia also paid the operating costs for the Abhazian press center, where I spent many a happy day. All international phones calls were free! I could call my editors anywhere in the world, and file stories about the brave Abkhazian rebels! They also fed us and provided us a place to sleep, and organized regular trips to the front lines where we could enjoy being shot at by the Georgians. They also showed us how well prisoners of war were treated and corpses of people killed by the Georgias and, allegedly, mutilated. (Though the Red Cross folks I talked to couldn’t confirm that the mutilations were real and not, say, the expected results of getting too close to an explosion.)

Anyway, the bottom line is that I do have personal experience of Russian spending gold to manipulate the media, in case anyone ever had any doubts that they were willing to do it.

As you can see from the commentary above, and you too can read the documents as well, the Russians set up a media company including websites and formulated plans to manipulate people toward the Donetsk People’s Republic and against a Free Ukraine. I am still going through the dump looking for the bills for the domains mentioned as well and will run them through Threatcrowd and other sources to see if they were used at all for malware C2 and propagation. Which brings me to the use of dnr-online as a C2. Interestingly enough the site itself is not a C2 but it does have connectivity to other IP addresses and domains that are.

dnr-online.ru

WHOIS for dnr-online.ru

5.101.152.66

The archology of malware that talks to 5.101.152.66 is rather interesting. There’s a bit of everything bad attached to that one to be sure including that MrSweet address that is ransomeware central. 5.101.152.66 is owned/created by beget.ru which has quite the many few dirty connections as well.

beget.ru WHOIS

beget.ru

Of course beget could be innocent enough but as you can see there is enough of Mos Eisley in there to make one not want to get an account there and set up a site right? I will continue to look into other domains within the networks that dnr-online bought as soon as I can locate the bills for them or domain names and that will be another post I am sure. What all of this tells you though, is that the Russians have always been carrying out these kinds of active measures against people like those in Ukraine as well as what they did to us in the election of 2016. This is not a one time deal and certainly will not be the last one we shall see. In fact, the bots and the domains will continue to be set up by the likes of the SVR and GRU in hopes of manipulating the general populace toward the goals of the Putin regime until it’s demise.

… and likely past it.

THE MALWARE & GROUNDBAIT:

Right! now on to the other interesting bit found in the dump from dnr-online. In looking at the spool I dumped all attachments into a folder and began checking them for malware. All the word docs, excel sheet, power-points etc. The docs all checked out but one zip file had a .scr file in it that turned out to be malware. The file (Центр управления восстановлением ДНР справка-доклад за 13 октября 2015 года.exe) Center for Recovery Management of the DNR certificate-report for October 13, 2015.exe came from an email comiing in from a Russian source to the head of dnr-online. I am unable to source the headers at this time of the email but the question becomes was this malware sent to the DNR by RUH8 or was this malware sent to DNR to send to others in some other campaign. I cannot say either way but, the malware is a new sample of GROUNDBAIT or Prikormka that was detected and reported on by ESET running rampant in Ukraine. Given that ESET claims that this malware was being used against the separatists in Ukraine it stands to reason that the logic here is that the malware was to be used by the propaganda campaign against those it was seeking to manipulate. However, the nagging thing for me is the way this was passed around. The email has no real context in the text and to me it seems to imply that it is a fix for things inside dnr. My other thought is that maybe someone got hold of the GROUNDBAIT raw sample and re-used it by re-packing it and setting it against dnr-online.

An interesting notion…

I contacted ESET and talked a bit with the guy who did the work and he was.. Well.. Not so helpful. So here are the IOC’s for this file for you all to look for.

IOC’s

Filename: Recovery Control Center Help DNR-Report for October 13, 2015
Filetype:.exe
SHA256: f9a96ad58fb946981d196d653ec28fa31d6f946a7e2f6784b317dd9adc557b62 (AV positives: 52/57 scanned on 04/30/2016 07:33:42)
File raw: zip file: zipnh4dZDtMUk.zip

https://www.hybrid-analysis.com/sample/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e?environmentId=100
https://virustotal.com/en/file/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e/analysis/1484661011/

https://virustotal.com/en/file/4eaf154ce8974228db6e35a1364337a12b821b73f052a44dc24ebdf0c1da6a4e/analysis/1484661011/

Dropped executables
“archive.rar” has type “gzip compressed data from NTFS filesystem (NT)”
“helpldr.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“samlib.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“rbcon.ini” has type “ASCII text with CRLF line terminators”

Writes directory archive.rar (exfil)

C2 connected:185.68.16.35
Connects and downloads second stage: GET http://wallejob.in.ua/wd.php?sn=2120161230091201&rb=7&ob=R_pol_x&bt=0 HTTP/1.1

https://www.threatcrowd.org/ip.php?ip=185.68.16.35
https://www.threatcrowd.org/malware.php?md5=7accb6fed266a2023659f438ad1b3546
domain:      wallejob.in.ua
descr:       Domain registered for customer of Ukraine.com.ua
admin-c:     UKRAINE-UANIC
tech-c:      UKRAINE-UANIC
status:      OK-UNTIL 20170619000000
nserver:     ns114.inhostedns.com
nserver:     ns214.inhostedns.net
nserver:     ns314.inhostedns.org
mnt-by:      UKRAINE-MNT-INUA
mnt-lower:   UKRAINE-MNT-INUA
changed:     hostmaster@ukraine.com.ua 20160907200219
source:      INUA

Found malicious artifacts related to “185.68.16.35” (ASN: , Owner: ): …
URL: http://wood-house.com.ua/ (AV positives: 2/68 scanned on 12/27/2016 16:55:43)
https://www.threatcrowd.org/domain.php?domain=wood-house.com.ua

URL: http://wallejob.in.ua/ (AV positives: 5/68 scanned on 11/17/2016 02:10:28) <—GROUNDBAIT C2
https://www.threatcrowd.org/domain.php?domain=wallejob.in.ua
https://www.hybrid-analysis.com/sample/319e9dc36678c4d774ba0765ec93d3160bd476ab0f98bac1b7e5b92e7994a88a/?environmentId=1

URL: http://zarabatak.ru/ (AV positives: 1/68 scanned on 07/20/2016 10:59:29)
https://www.threatcrowd.org/domain.php?domain=zarabatak.ru

URL: http://psh.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:35:37)
https://www.threatcrowd.org/domain.php?domain=psh.co.ua

URL: http://sem-dev.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:33:23)
https://www.threatcrowd.org/domain.php?domain=sem-dev.co.ua

wood-house.com.ua
domain:           wood-house.com.ua
dom-public:       NO
registrant:       xdkjv649
mnt-by:           ua.intermedia
nserver:          ns311.inhostedns.org
nserver:          ns211.inhostedns.net
nserver:          ns111.inhostedns.com
status:           ok
created:          2014-11-07 13:31:27+02
modified:         2016-11-03 16:37:39+02
expires:          2017-11-07 13:31:27+02
source:           UAEPP

registrar:        ua.intermedia
organization:     SE Rabotnov Volodymyr
organization-loc: ФОП Работнов Володимир Володимирович
url:              http://names.com.ua
city:             Melitopol
country:          UA
source:           UAEPP

contact-id:       xdkjv649
person:           Vladimir V Rabotnov
person-loc:       Работнов Владимир Владимирович
e-mail:           not published
address:          not published
address-loc:      not published
phone:            not published
mnt-by:           ua.intermedia
status:           ok
status:           linked
created:          2013-04-05 15:01:02+03
modified:         2014-01-08 23:42:17+02
source:           UAEPP

 

TYING IT ALL TOGETHER:

So what we have here is the insider’s view of how dnr-online, a propaganda wing within Ukraine’s Donetsk People’s Republic put together a media service(s) and planned to use them as a framework of Russian propaganda in the region. We also have malware that is known to be actual spycraft in the region within it’s mail spool being passed around at least to two sources inside, one of them being the director of the DNR company. Was that malware meant to infect and eventually allow for the dump in the darknet or was the malware being passed along for other uses that we cannot see in this spool dump? In either case this information makes it clear that in Ukraine the Russian propaganda and espionage machines are alive and well and using the net as a force multiplier at the very least.

I will continue looking at the growing dumps by RUH8 and let you all know about any malware and goodies that pop up. It is also of interest to you all that this dump has been around and certain groups have looked at it and just sort of said “Nothing to see here” which is interesting to me. I mean malware that no one has seen really and plans for propaganda in the region are of no interest? I guess maybe these groups just did not want to spent the cycles on looking deeper into the data. I actually did with the help of others as well as checked the forensics on the metadata to insure the stuff was real.

…but that’s just me… I am not a churnalist.

Oh well..

More when I have it.

K.

UPDATE!: One day after this report one IP address involved as a nexus of malware has changed it’s domain name! Coincidence? Hmmmm?

Screenshot from 2017-03-29 06-14-33

Written by Krypt3ia

2017/03/28 at 13:00

The QNB Hack: Cui Bono?

leave a comment »

Screenshot from 2016-05-02 11:14:51

The Dump

The recent dump of data from the Qatari National Bank was of interest to me and many others because it was purporting to have the accounts and identities of spies within it’s csv and text files. I downloaded the files from Cryptome thanks to someone pointing me in their direction and took a nice long look. As the story has unfolded it has come to light that the bank itself says the data is real and that they are now “completely secure” which is amusing given that this was an ols SQLi attack that netted this Turkish hacker group the jewels of QNB.

The dump consists of the oracle database files, the passwords, and the banking information of all the users therein. I have to say that most of it is really quite pedestrian but then the hackers, or the bank management,  created file folders (as seen above) that marked people as spies, Mukhabarat, Security, Gov, and other tantalizing names. I first had thought that the file folders and their speculative names had been created by the hackers to sex up their dump but it has come to light that if you look within the database dump itself you see the directories and names have headings like intelligence and defence. So it seems that the bank itself may in point of fact created these tags in the belief or inside knowledge that the people in the data were in fact what they claimed, or at least thought they were.

The Spies

I looked at all the interesting folders and the data all the while wondering about the validity of the idea that these names were in fact corresponding to real assets, NOC’s or just functionaries in Qatari space that had just been quite well blown by this hack and subsequent data dump. On the whole I would call into question all of the names being linked directly to espionage organs. I really have to wonder if the bank would in fact be that “in the know” about spooks in their country and really have to be circumspect about their putting that in the users bank records. I mean even the Mukhabarat would at least demand that it be obfuscated one would hope by a code of some sort and not just in the headers/directories themselves.

It really kind of feels like the natural tendencies of the Arab nature had gotten the best of the database admin and the managers of the bank and they believed that these people were spies without there being any real proof. In any case, if these people, especially those who are FORN and in country, now may have some trouble with people thinking that they are really spies and subject to attacks. Imagine if you will any jihadi types who might take this data as gospel and go after these people for da’esh or AQ. This could be bad. I have yet to hear of anyone leaving their positions or the country. If I were one of them I would at least be looking over my shoulder henceforth.

Screenshot from 2016-05-02 13:58:40

Screenshot from 2016-05-02 13:58:58

Screenshot from 2016-05-02 13:59:40

Screenshot from 2016-05-02 15:33:48

Screenshot from 2016-05-02 15:34:40

Screenshot from 2016-05-02 15:35:19

Screenshot from 2016-05-02 15:38:52

 

Screenshot from 2016-05-02 15:43:58

The other data I can see perhaps the military accounts and names being totally on the money because they are their own Ministry of Defence and really, that is not top secret stuff. Likely the bank see’s where these people get their pay from (Qatari funds from the gov) but even these people could now be targets because this hack was motivated by political means it seems after all.

Cui Bono?

Screenshot from 2016-05-02 16:10:09

It seems that the Bozkurtlar (Grey Wolves) a Turkish political group and their hackers were the perpetrators of this hack. There is a long history between Turkey and Qatar and most of it seems kind of benign but when you scratch the surface a bit you can see that there are some issues between them as well as some synergies in their support of certain terrorist groups like da’esh. (click linked image below)

Screenshot from 2016-05-02 16:13:47

Screenshot from 2016-05-02 16:12:09So, “Cui Bono?” Well, certainly the Grey Wolves, to what end I am not completely sure. They did post their video before the hack hit the pastebins out on the net so it was pretty much their gig but I still don’t quite understand why. Perhaps these hackers are quasi wolves and or it is some other entity using the wolves as a cover for their activities. Given that there has been no real perceived fire coming out of Qatar over this nor in other areas of the world that we are aware of, I kind of doubt all these people were in fact assets of foreign powers.

At the end of the day, this just turns out to be yet another derpy easy hack using SQLi on an entity that wasn’t performing any due diligence but it had the sexy sexy for the masses with the idea that some great hack exposing spies had occurred. In my opinion not so much really. So hey Grey Wolves, gimme some more context would you than some poos British shmucks MySpace page in the future would you?

K.

Written by Krypt3ia

2016/05/03 at 00:08

ASSESSMENT: The ZunZuneo “Hummingbird” Social Network and The Cuban Spring

with one comment

Zunzuneo

 

Cuban Intranet and Internet Access:

Cuban internet access is minimal and very controlled the the government. There were as of 2011 about 124K addresses listed to the .cu domain on the internet belonging to Cuba and the average ownership of a computer was low. The same was true over cell phone ownership and use compared to other Caribbean countries. The regime’s control over all of the infrastructure pervades to the intranet being primarily a tool for propaganda and a means of control via surveillance on those who could access it.

Screenshot from 2014-04-06 07:13:01

Internet access though became a feature to the rich in the country or the political (both are the same in reality) and one could buy access to the internet for a hefty price underground. In fact some blogs have shown up over the years on the proper internet after dissidents paid for or obtained access either themselves or by exfiltrating data to outside sympathizers for publication on blogs like WordPress or LiveJournal. Generally, if you wanted a source of outside news you had to either buy access to the internet in the black market, get it on the streets from people with SW radios, or by some other means. This control over the media and technology has perpetuated the control of the Castro regime and allowed his dictatorship to continue.

CUBA CYBER

Cuban Telco:

Cubacel also is a single proprietorship of all cell phone communication (state run) on the island and in fact the ownership of cell phones is one of the lowest as well in the world for penetration of cell phone owners and use. This too means that the Castro government has greater control over what the people can access as well as a single point of surveillance that can be used as a mans of control as well. Of course today this is all being said in the age of the NSA tapping just about everything so please take this with a grain of salt and the knowledge of how that makes you feel about surveillance by any government.

Screenshot from 2014-04-06 07:24:17

I am unsure of the prevalence of cell phones today in Cuba but I am guessing that these statistics are only a little different today due to the controls that the Castro government has in place over it’s populace as well as the poverty rate of the island itself disallowing general ownership and use. While the numbers may have grown so too might the attitude of the government due to a shift in power from Fidel to Raoul Castro. While the former was a bit more hard line the latter seems to be a little more open to allowing the country to loosen it’s grip on the people and allow communications with the US. This may also play a part in easing the minds of the people into thinking they could in fact use cell phones and platforms like ZunZuneo to air grievances.

ZunZuneo:

The ZunZuneo platform went live in 2010 and was a “Cuban Twitter” which was text based on the cellular network on the island. It was in fact a program put in place by USAID (likely a covert program run by CIA in reality) and ran until about 2012 and at it’s end it had about 40 thousand users on the island. The broad idea of the project was to have the Cuban’s generate their own “buzz” around dissident ideas and allow them a means to text one another outside the controls (ostensibly) of the Castro governments eyes and ears. This though likely was not a complete success nor was the program a success from the standpoint of mass demonstrations happening either as far as can be seen by any news sources reporting on this.

ZunZuneo was inserted and run by contractors and purported to be a Cuban creation with cleverly hidden funds and controls from USAID/CIA. The program’s aegis was to insert itself, gain a user base, and then to start to send texts to the users to spur political unrest against Raoul and Fidel Castro’s government. In the end the program came to a sudden halt due to finance issues (alleged) but the reality is it never actually got the directive to insert itself as an influence operation. It operated unbeknownst to the users and in reality was a failure because I think USAID and CIA had hoped they would see dissent traffic on it’s own. It did not and thus perhaps the idea was seen as not feasible and the finances were withdrawn.

YOUTUBE

Influence Operations:

 

Screenshot from 2014-04-06 07:36:44

 

Influence Operations are nothing new and over the years many have been carried out on places like Cuba. With the advent of new technologies like the internet this has become even easier to carry out on average when the populace has easy and free access to the net. in the case of Cuba this is not so much the case like the DPRK. I would say though that Cuba has a much more permeable information border than the DPRK due to it’s geographical location as well as the current regime’s leanings towards opening up a bit more. Though it is still the case that the current government still holds all the keys to information flow as well as a secret police force that controls the populace who get out of line. So it is no paradise of freedom and beauty.

That the US decided to use USAID to carry out this operation is an interesting choice but in their charter is the mandate to “spread democracy” so while some might question the aegis here and say that this was a rogue operation I don’t necessarily agree with that. One must understand that at least USAID has access to many places under its mission in general of providing humanitarian aid so there is purview there. The question though becomes do we want to taint such an org in the future and deny access to critical areas where people really do need help? This will be the fallout from this in general globally and likely will hurt people in the end. As influence operations go though this was a bit of a flop in the short term however. In the long term though perhaps this may lead an internal company or group to create a new ZunZuneo because the 40 thousand people using it really enjoyed it. If someone were to create a new one and if the populace felt that they could in fact speak their minds freely, then maybe they would rise up.

ANALYSIS:

My analysis of the ZunZuneo operation is that it was a novel idea but lacked oversight. An influence operation that inserted itself as a platform for communication in a place where cell phones and internet access is tightly controlled was a gambit that was bound to fail in my opinion. This was in fact the digital equivalent of releasing balloons with propaganda over the DPRK (which is ongoing today) and does not have a penetration level at which a real traction could occur. It is my belief that the CIA/USAID thought that what they had seen with popular uprisings like the Arab Spring could be effected in Cuba internally by it’s populace. What they failed to comprehend was the amount of outside help the Arab Spring had from the likes of Anonymous and the general internet to assist them in carrying it out. In the case of the Arab Spring and other incidents the governments attempted to clamp down on communications that they controlled only to be denied absolute control by key players outside allowing access through POTS and other means.

In the ZunZuneo scenario two things did not happen to cause it’s failure at the end. One was that the populace who had access perhaps did not feel they could speak their minds because everything was on Cubacel to start with. The second was the fact that this program was not a populist movement from the start. You will note that the other “spring” incidents had access to the internet proper not only on twitter but also by other means. These countries already had a populace who had access to external information and were consuming it regularly. The same cannot be said about Cuba in general as I have described it above. The traction just wasn’t there because the people know already that the vehicle that the information operation was to use was already monitored by the government that is oppressing them.

At the end of the day though I have been seeing an easing in the Castro regime since Raoul took over from Fidel and this would I hope, continue as the two of them age into retirement (aka their graves) and the people might have a chance at that point to make a change. Time will tell just how much more Raoul opens things up post this little debacle. However flights in and out of Cuba are more plentiful and there is a flow of monies etc that could be much more beneficial in the long run than any influence operation ever could. My fear though is that the old guard Cubano’s in Florida may have had a hand in this as well and there may be more out there in the wings. It could upend the growth that has happened and that would be a shame.

K.

Written by Krypt3ia

2014/04/06 at 12:22

Creating Your Own Privacy & ROI

leave a comment »

img courtesy of XKCD http://xkcd.com/

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Preamble

With all the alleged revelations over the drift net surveillance happening to us all by the government I and others have been pondering the processes needed to protect one’s communications online and over the phone. Wired and other venues have put out reasonably ok articles on this but generally I think they have lacked on the ROI factor for the varying degree’s of surveillance that has been carried out for some time now, not just the NSA with PRISM. The immensity of it all I think can put one off on the idea of being able to keep their privacy especially given the pains that one must take to keep it on the nation state scale. However, there is much that could be done to have a modicum of privacy but one just has to understand the idea of OPSEC and have some technical base to work from in order to use the technologies such as TOR or CRYPTO in the first place. It is another thing altogether to keep that mindset every day and to understand the import of their use and the cause and effect that comes from failing to use them.

PRISM and NATION STATE SURVEILLANCE

As Ali (@packetknife) alluded to on the “Loopcast” recently with me, the idea that someone can completely deny the nation state program of surveillance is a tough one to swallow today. We all are connected to the net in some way whether it be your smartphone or some other connected device that we carry with us 24/7. In the case of the smart phone the utter and total pwn that goes on there is spectacular to think about. There is no need for tinfoil hat conspiracies about barcode tattoo’s on one’s neck here, all you really need is an iPhone and connectivity to know quite a bit about a person. This is why the metadata issue is a big one and people are seemingly unable to comprehend it. Let me clarify this for you all by also saying that not only are the calls to and from being easily monitored and mined (stored later for perusal when needed) by the NSA it seems, but also the GPS data as well. Remember the hubbub over the Apple collection of GPS data on the phones a couple years back? Remember the outrage on some parts over this? Well, now look at that in relations to how much of that data is accessible by the government too in this program. More to the point and this has not really been talked about, but are they correlating that data as well in the phone surveillance being carried out? My assumption is yes but like I said that seems to have been dwarfed and drowned out by the PRISM revelations.

Ok so now we are being data mined and correlated on the phone calls we make (metadata). Of who we are calling, how long we are talking, and when as well as  the GPS (location) as well?  All of that data is very informational about the habits of a person alone but start to analyze it from a personal and psychological perspective and you can build quite the dossier on someone without even having to listen to their conversations. Which I hasten to add that there are rumors of the caching of conversations generally not just under warrant from FISA. At this level, the nation state level of surveillance, one cannot hope to really be secure in their communications using technologies as they are because of the access the government has built for themselves post 9/11 with the Patriot Act as it’s fulcrum. Access mind you that we are giving them by proxy of the devices we buy and the services that provide the connection because without them we have no way to communicate other than in person or pen to paper with the post offices help right?

All of this though does not mean that the government is spying on you now. What it means though is that the legalities have been created or bent to the will of the government to have the illusion that the wholesale collection of all kinds of data for later use of anyone using these systems is legal. It also means that no matter the protestation of the government and the law enforcement bodies that they take all due care not to collect/use/surveill you vis a vis your data that there is a chance that someone within the system “could” and “might” do so outside of the rules and that is the problem here … Well other than the Constitutional, moral, and ethical issues that is. Just because it is against the rules does not mean someone won’t do it if they have the access. You know.. Like EJ Snowden having access to highly classified data that perhaps he shouldn’t have? Or furthermore the availability of Mr. Snowden being able to insert a USB drive into systems and siphon off said data to give to the press or anyone who’d listen right?

PRIVATE SECTOR or THE LITTLE SISTERS

Another issue that seems to be taking a back seat here is the notion of the Little Sisters to Big Brother. This idea springs from something I alluded to above in that the corporations that offer you the services (Gmail/ATT/Facebook etc) all collect data on you every minute of every day. They use this data for advertising, data mining, selling that data to other companies to form synergies on how to sell you on things etc. It is this practice of collecting all this data on us and our complicity in it that has given rise to the drift net approach that the government has taken with the surveillance programs like PRISM. The government is simply leveraging the capacities that are already there in the first place! You want to blame someone for this mess? Look in the mirror as you have allowed your data to be collected in the first place. YOU have placed your minute details out there on the internet to start with in email or posts to Twitter and Facebook for example. YOU are the culprit because you fail to understand OPSEC (Operational Security) and just scattered it on the net for anyone to see.

Of course other bits are more arcane. Cookies, tracking data within browsers and the like also give away much data on who you are, what you like, and allow the marketers to tailor ads for you when you go to sites that pay for the services. The aggregate of all of this data makes a digital portrait of you that unless you take pains to disallow the collection, will be sold and used by the corporations to package YOU as the commodity. I mean, how do you think Facebook works? It’s a social contract to connect to others and allow Facebook to make money off of your habits. Zucky is not in this to win a Nobel Peace Prize here ya know.

So when you think about all this surveillance going on please remember that you are complicit in it every time you surf the web, make a facebook post, a tweet, or send an email unencrypted (Google analytics kids) because they are all sifting that data to “get to know you better” *cough* It’s just a friends with benefits thing as the government see’s it being able to just hit them with an NSL and plant a server in the infrastructure to cull the data they want. As long as it doesn’t effect the bottom line (money) for them I suspect their worries about privacy are, well, pretty low on average. I mean after all you have already signed away your rights have you not? The little sisters are insidious and subtle and I am afraid they have already become metasticized within the society body.

The Only Privacy You Can Have Is That Which You Make Yourselves

“The only privacy that you have today  is that which you make for yourself” is something I said a while back on a blog post or podcast and I still stand by it. It seems all the more relevant in the post Snowden world today. By creating privacy I mean leveraging technologies like encryption to keep your communications private and OPSEC to consider how you transmit information over the internet and telco. There are inherent problems though with all of these things as you can always make a mistake and end up leaking information either technically (an instance would be logging online with your own IP address to something) or process wise like putting your current location on Facebook and saying you’re on vacation for two weeks. It is all a matter of degree though and even if you are practicing OPSEC there are things outside of your control when the nation state is looking to spy on you. There are just no two ways about it, you can only fight the nation state so much with technology as they have more resources to defeat your measures eventually by end run or by brute force.

On the level of defeating the little sisters, well the same applies but with limitations. You can in fact surf the net on TOR with NOSCRIPT, cookies disallowed and on an inherently anonymized OS on a USB stick right? The little sisters can only do so much and they only interact when they see a profit in it. They after all are not looking to be voyeurs just for the fun of it. They want to sell you something or sell you as metadata right? However, if you start to anonymize yourself as much as you can and you are diligent about it you can stop the Little Sisters which in turn may minimize what the Big Brother can use too. The caveat is that you have to take pains to do this and you have to know what you are doing. There are no magic easy button offerings on the shelf that will hide you from them all and if you care then you will take the time to learn how to perform these measures.

ROI On Privacy

Finally, I would like to take stock of the fight here that you need to take on and what the ROI is for each adversary involved. In reality unless you go off the grid, change your identity and never touch another piece of technology ever again there is a high likelihood that your information will be tracked. One may in fact create a separate identity to pay bills with and use that one to surf online as well as other things but that is an extreme just like the idea of becoming a Luddite. There must be a middle road where you can feel that you are protecting a certain portion of your lives from the unblinking eye of the companies and governments that own or access the technologies that we use every day. You have to though, understand all of this and accept that in the end you may fail at keeping your privacy yours and yours alone. Come to grips with this and be smart and you can have a modicum of success if you are diligent.

A for instance of this ROI would be on the phones. If you TRULY want to be private then you have to lose your smartphone that you have billed to you and buy a burn phone. Cash is king and there is no information taken if you do it right. The unfortunate thing is that you then have to call only others who have the same burn phones out there without any metdata that ties it back to their real identities. You just try getting mom and dad to buy burn phones to talk to them on… It’s not that easy. So really, some of the ROI is minimized by the nuisance factor. The same can be said for the lay individual who is not going to go buy encryption products nor are they capable of installing a Linux system and running something like GPG. This is not going to work for everyone as well as not everyone is going to care about their privacy as the recent Pew poll showed where 56% of polled ok with surveillance program by NSA.

In the end it all comes back to the idea that you create your own privacy by your own actions. Do not trust that the government is going to protect your privacy and certainly don’t believe that the corporations will either. I mean, just look at how many spectacular fails there were on passwords that weren’t hashed or encrypted in any way by companies hacked by LulzSec. As well you should not trust the government, no matter how well intended, that they will be ABLE to protect your privacy as we have seen with recent events like Brad Manning’s theft of (S) data as well as now Snowden (TS/SCI) The actions of one person can be the downfall of every carefully crafted system.

So what is the ROI here? Well….

NATION STATE:

Crypto and anonymized traffic online will minimize your footprint but eventually they will break you if they want to. You have to be exceptional to fight the nation state level of surveillance. As for the driftnet out there well, unless you go luddite they have a lot of data to sift and commingle. They have a pretty good picture of who you are and much of that comes from the little sisters. Your ROI here is minimal because they have the power and the thing you MUST remember is that CRYPTO IS YOUR FRIEND!! Encrypt sessions for chat and emails and you will leave them with the task of either having to break that crypto or hack your endpoint to see the plain text. Make them work for it. Otherwise you may as well just BCC the NSA.GOV on each and every email today it seems.

LITTLE SISTERS:

The little sisters though are another thing. You can in fact obscure a lot of what you do online and through telco but you have to be diligent. It means time and sometimes money (burn phones or laptops in some cases) to obfuscate as much as you can. The ROI here is that IF you take these pains you are then able to deny them easy access to your habits and patterns. If you start using crypto in sessions and in communications like emails then you will be also geometrically heightening your privacy status. But you have to do it.. AND that seems to be the hard part for many whether it is laziness or apathy I am not sure.

Privacy is what you make of it… He says as he hits enter on a public blog post!

K.

[Jmhhw Kutdegc ohl Vmgi Uizvsr pspmspw avuzyiw ypicl Qephcv Tmwfcj’a yere. Kutdegc plqfkw sd Vqklsn vcukipd.]
Polvc Ayzfiui: Elr npwr, xfslm’k Qephcv Tmwfcj…[tgsoq on i xspbsl ezmpc Auzlmr fom i tpely mbsvi. Uoftsgi rilvk xlc titviv rc mpga mr vua fs tydyzk] Li bcyaf’x wcsg bg lets u xswx.
Zwmpgt: [Ayzea saew] W’g agvvw, pob A hsl’h qwjo jmf npw kstslveirr.
Rckc Kspriv: Oi hm. [Gbwow e aoll] Fexgchid Wiailqlc Eeshkq.
Fmqvix: Sl. Cmi’lm lli eisa A liyf vzwexfwho gr xfs ibziv cbx wx qc nvivw.
Hmay Awjhsl: Bi, bzex’q hbm XFM. Us’lm fsx avuzlivcr zwj hsksmbag wsfpmappybwm.
Tmwfcj: Wz, M wcs. Swm nyqh idwvxffie yszcfhuwrxq. Gyb mt jpwyvvpc bwwbsxspg.
Xquo Kmfxwf: Rs, rvub’k xlc QCI. Oi tpcnmux ssf awnivlayvl’w gmagcfmgyhcwfw, ac hlg ls fpsus lli mhbmj jijzu’a ushcg. Qm’ji xfs awgh ksmm, Usvxw.
Pcazst: Esy, Q uer’r hytd css kbil e vczcmx xlyh ca…Vmgi.
Rckc Kspriv: Uleluy ggyv kwhl, uepj im il xlgg hcefip… [ucdww Fggbwh e jmzxmv tmcqy wx tensl] Uj. Fvgqy.

A Few Words On Body Bombs and Security Theater…

with 4 comments

//BEGIN

//UNCLASS

Has AQAP Been Watching “The Dark Knight” Or What?

It seems lately that the officials out there “in the know” have decided to allow a leak about a certain 15 page report alleging that Al-Asiri, the mad bomber/designer and much described “genius” of terror, has been attempting to perfect a design for an internal “body bomb” Now, no one really knows if this is indeed “the truth” or just how far Asiri may have come in his plans to create these surgically implanted bombs. However, what one can extrapolate from the press on this thing and the sources on “background” willing to talk, is that this seems to be more of a propaganda ploy than anything else on the face of it.

While I have no doubt that this vector of attack has been on the minds of AQ for a long time, so too has the use of CBRN, but to date, they have not been able to do anything in those areas and in fact the BIO warfare program they tried to start was a miserable failure. So, do we really see them getting to the point where a convincing as well as operational “body cavity bomb” is actually put to the test? I suspect that it may be some time until such a plan is put together and operational but as the media would have it now, as well as those leaking the “details” here, they seem to be saying FEAR NOW!

The Case for Surgically Implanted Munitions: Possible, Crazy, Exceedingly Hard to Pull Off

Now that we are all abuzz about the “surgically implanted bombs” lets take a look at the actual nitty gritty of how this would have to be conceived and acted on to work.

  1. You have to have a willing shahidi… Well, there are some out there so there you go. One that is willing to have srugery as well as recuperation time, well, ok… Harder but possible
  2. You have to have a sealed, self contained system that will not bleed (inside the device) and make it malfunction
  3. You have to have explosives that are high power and yet only require small amounts to be of use
  4. You have to have no metal parts to pass through the magnetometer
  5. You have to have a surgeon or surgeons willing to do the cutting and sewing (Well Ayman is a Dr. after all too so…)
  6. The device will have to be hidden enough inside the body so as to not alert others and preclude mobility issues (i.e. small, though the BVD bombs seem to be so as well)
  7. Your detonator has to be either chemical or electric/remote (timed or say an RF device) I lean toward chemical for these but who knows
All of these facts are not impossible to overcome, however, they are pretty tough in the long run to get working for you and have a success. Now, with all of this said, I guess the question then becomes are what are the odds that this is going to happen? Maybe even one might beg the question of how soon? You really have to want this and in much of the AQ mind, many things are termed as “aspirational”, a term meaning wild fantasy, much like a lot of their doctrine and hopes. This by no means means that they are in fact going to happen.

The Case for FUDDERY as A Means to an End For BOTH Sides

So, what we have here though seems to be a lot of clucking about bombs inside of people and the fear mongering that goes on with some quarters of the intelligence community feeding this all to the media. SOFREP, a site concerned with SOF (SPECOPS) had this story out there last week and now it seems to be making the rounds with backup data (background from anonymous sources) that the mad bomber is in fact working on this with a cadre of doctors. Of course one can only assume that this “data” is perhaps coming from the recent mole that got into AQAP posing as a suicide bomber and stole their new prototype BVD bomb.

If true, then yes, sure, they had plans and were trying to make a bomb system that would be hard to detect, I mean, how many MRI’s are at the airports now huh? If this data did not come from the mole though (and there is data that this has been floating around now since at least last fall, way before mole man) then why now is this being thrust upon the media? Or, now that I think about it, there was that arrest of the guy with the pr0n that had the stegged “future work” file in there.

AH HA!

I am willing to bet that is the provenance of the file in question. Ok, so, there you have it. We have the plans and.. What.. Why release this to the public? I mean, what real purpose does it serve other than to scare the populace into submission? In the SOFREP report there is mention of something along the lines of “So how do you feel about your L3 machine now?”Uhhh, just fine really, I mean, it won’t help me if there is a surgically implanted bomb, but it gets much of the rest of the stuff when used properly. I am guessing that the impetus here was to make the TSA look good, by saying “you think you are hassled now, but look at what the jihadi’s are planning!”

Honestly, sure, it could happen, but the odds are slimmer than one might think I think and this seems to be a play here to manipulate the public mindset. Others have called the same foul on the play here but I just wanted to put it down here and sort through all the issues to ascertain where the truth might lie. In this case, for me, it seems like this story serves the purposes of both sides. For one, the security services here and the politicians both get a win by leaking data to sow fear, a fear that was ever so well used in the past (like G’Dub’s admin) and others to sway thought and perhaps lessen resistance to certain things. On the other side, this also works for AQAP because even if they are planning it, they are causing us to create even more elaborate Rube Goldberg devices to stop them, costing us more money and time.

It’s a win win for all of them.. FUD it seems is a booming business.

So, IF They Make These Bombs Happen Then What?

In the end, it comes down to this; “What are we going to do?” Do we really expect that we will now install MRI’s and X-Ray machines in the TSA lines to scan our internal organs as well as the sniffer/blower/wand/m-wave that we already have? This is a means of bombing that would be hard to detect if done well and certainly would not easily be seen under clothes or even with an M-Wave scan if it is not protruding/bulging the persons body in some way. Hell, for that matter, AQAP should just be looking for morbidly obese shahidi candidates huh?

Certainly, leaking this data to the news serves little purpose than to perhaps get people (including those on the hill) to buy into new measures and monies to appropriate them? It would not make one whit of difference in the current protection scheme now would it? Frankly, if AQAP and A-Asiri have been working on this, and it were a major threat, I personally would not have been dropping this to the media. Keep the intel secret (as the report is alleged to be) and keep it out of the public eye…

Unless you all think that by leaking this data you are retarding the chances that AQAP will try this method? I really don’t think that will be the outcome here.

In the end.. I call shenanigans.

K.

//END

//UNCLASS

Written by Krypt3ia

2012/05/14 at 19:34

Posted in AQAP, FUD, Propaganda

Anonymous, SCADA, LULZ, DHS, and Motivations

with 2 comments

Anonymous Is Interested In PLC’s & SCADA?

A recent .pdf bulletin put out by Homeland Security (i.e. DHS) claims that certain actors within Anonymous (and by that they mean “anonymous”, I added the distinction) have shown interest in at least Siemens SIMATIC PLC’s and how to locate them online for exploitation. It seems that DHS though warning about this threat, is not too concerned about its actually being exploited by the group because they lack the expertise to attack them. So, why the BOLO on this at all? If the collective cannot do the damage to the infrastructure that you are entrusted in keeping safe, then why report on it at all as credible intelligence? It would seem to some, myself included, that Anonymous is not the problem that they are really worried about on the macro scale, but instead, those who may claim to be Anonymous hitting small scale facilities or pockets of targets for their own purposes.

And therein lies the difference.

If indeed Anonymous the collective is looking at attacking SCADA, one has to wonder at their reasons to target such systems. After all, if Anonymous takes out the power or poisons the water, it will not look good for them PR wise. In fact, were such things to happen in the name of Anonymous, I can pretty much guarantee you all that they would be enemy #1 pretty darned quick post an attack. However, if they were to target a company such as a car maker that pollutes, then, you have a real agenda (per their social agenda of late) So, the targeting is really key here and I will cover that later on.

DHS Jumping The Shark?

The motivations of the release by DHS have also  been called into question by some as to why they chose to talk about this at all. This is especially prescient since they take pains to say that the Anonymous movement “most likely” does not have the technical means and motive to really pull of these types of attacks on the infrastructure. So why even bother? Perhaps they are just covering their bases (or asses) just in case the Anon’s actually attack? Or perhaps, they too are clued in on the fact that even if claimed to be anonymous, it could be others working against the US (Nation State Actors) who have chosen to attack and use Anonymous as a cover so as to throw off attribution.

Either way, as some look at it, it is almost like they are daring Anonymous to do it out of spite because they are calling Anonymous’  factions and actors “inept” or “unskilled” which, might get their dander up a bit. All of these scenarios pretty much do not preclude someone hitting SCADA systems in the future and it being blamed on Anonymous, which will bring on a new wave of efforts by the government to stamp them out. Reciprocity being what it is, this too will mean that Anonymous might in fact gain strength and sympathy from such actions and fallout as well.

For me though, I just see DHS covering the bases so as to not be blamed later on should something happen. Not so much am I of the opinion that they are in some kind of propaganda war here with this little missive.

Motives, Means, Technical Abilities

So lets go with the theory that certain elements of the Anonymous collective want to mess with the infrastructure. Who would they target and why? More to the point, what companies would they target that fits their agenda?

  • Telco?
  • Power?
  • Manufacturing?

Those are the three areas that I could see as potential attack vectors. Though, once again I have to say that the only two that I see as real possible would be the telco and manufacturing and even the telco would be dangerous for them to try as well. I mean, if you start messing with Ebay or Paypal that’s one thing, its quite another to mess with national infrastructure, as these two would be considered. If indeed Anonymous hit them and took them down for whatever reason, they would then be directly considered terrorists… And that would be seriously bad for their movement and its legitimacy.

Now, we do know that the  Anon’s hit the BART system but as I remember it, it was BART that took out the communications infrastructure themselves so as to prevent communication between anon’s. So, this just doesn’t seem to fit for me either. Manufacturing though, as I made the case above, could be something they would try. It’s not national infrastructure and it will not take the country down if they stop something like cars  being made.

Is it just me? Or does anyone else just see this as a non starter for Anonymous central? What I do see is the threat of other actors using the nomme de guerre of Anonymous as cover for their actions to mess with the national infrastructure. Perhaps some of these people might in fact be motivated by anonymous, but, my guess that if there were to happen, it would be nation state driven… And something I have been warning about for some time.

Anonymous, as an idea, as a movement, will be subverted by those looking to fulfil their own ends and justify their means. All the while, they will let the Anon’s take the fall for it.

Governments

Nations

Nation States

… AND.. Corporations.

You know, those with the money and the people who could pull off the technical hacks required to carry these capers off.. Not a bunch of rag tag hacktivists and hangers on.

Blowback

In the end, what I fear is that there will be a great deal of blowback on Anonymous even talking about hacking and messing with infrastructure. The same can be said for their attempts on taking down Wall Street or the NYSE with their DD0S. If they had succeeded, they would have been an annoyance really, but that would not have caused any great fluctuation in the markets I think. No, unless they hacked into NYSE itself and exposed the fact that they had root in there, I think that it would have a very minimal effect on Wall Street and the economy at large.

Not to say that everything is going ever so well now…

DHS seems to have jumped the shark a bit for me on their BOLO and the coverage of this just tends to add to the FUD concerning SCADA and PLC code. Hell, for that matter we have the new Symantec report on DUQU that yells out about it being the “Son of Stuxnet” but in reality, it is more like a clone of Stuxnet used for APT style attacks by persons uknown..

Get yer FUD here!

Same goes for this DHS warning.

Your results may vary…

K.