Archive for the ‘Russia’ Category
Back in December I located a dump of data on the darknet placed there by a hacker collective in Ukraine called RUH8. The dump is rather good sized and all come from Russian backed Ukraine sources. RUH8’s dumped one group in particular that I was interested in because I located a piece of malware in the email spool that, once run through the usual tests, showed to be something not widely seen before. I will cover the malware further down the article and will include IOC’s but once I harvested the email spool itself and began to get things translated things got even more interesting.
Once I mirrored the site I got some help from <REDACTED> and set to work in translation of emails and documents attachments. Most of the bulk of the dump is average emails concerning daily business but a few began to tell a tale of the company that the emails came from and how it was in fact a Russian front organization created for propaganda in Ukraine and used to manipulate the populace in the Donetsk People’s Republic (The Russian separatist area of Ukraine) and those outside it including other countries outside of Ukraine.
Having all of this come to light just after the election win for Trump, and now coming out here in the midst of the Russian intervention and collusion investigations today, I thought this report would be prescient and give a rare insight into how the Russian propaganda machine works, how the intelligence apparatus of Russia works in this respect, and perhaps bring to light a new piece of malware for everyone to see.
The leak by RUH8 in the darknet consists od more than a few entities email spools as well as individuals that they have described as assets of Russia. In the case of this post the data comes from the domain dir-online.ru. This is a media org in Ukraine that is Russian backed and as I said before caters to the Donetsk People’s Republic. Within the dump there are many documents covering the day to day but five documents stood out amongst them all (frankly there are more to be analyzed and one needs Russian speakers to translate them all) as being all things shady.
RUH8 is also the group that hacked and dumped “The Grey Cardinal’s” email spool as well. Having gone through that spool I did not find any malware of merit or anything that was new so I moved on in mirroring and checking for goodies. They keep adding content to the site too so I would expect eventually I will locate some more goodies in the future. Keep an eye on the blog for more when I find it. The Grey Cardinal though is an interesting figure and I recommend you all read up on him as well.
THE PROPAGANDA PLAN:
Right, well on to the good stuff! The following documents found in this dump show Russia’s machinations at propaganda in Ukraine, well, at least this small slice of it.
From Translator: This talks about “anti-Russian hysteria” in the media and about disinformation and fake news that makes Russia look bad. And also that pro-Russian voices are accused of being agents of the Kremlin. To counter this, this document outlines a project to create a pro-Kremlin media campaign in the Ukraine that includes a budget for hiring journalists and buying equipment like computers and voice recorders, a budget for freelancers and “insiders”, Website hosting, web administrators, editors, advertising, The amounts — which are, for some reason, in US Dollars, are $9,250 for initial set-up expenses, and $38,280 ongoing costs. Those could be monthly costs — the salary of a full-time journalist is listed at $2,000, and that’s likely to be $2,000 a month. The editor in chief, who’ll be based in Kiev, will get $2,500 a month. Hey, their freelance budget is $6,000 a month!
From Translator: is a little disturbing, since it outlines how the anti-war movement in the Ukraine can be used for pro-Russian purposes. For example, the idea is to create a picture of the leaders in Kremlin as corrupt power-grabbers who are using the war in eastern Ukraine to distract everyone from their own problems. Russia’s invasion of eastern Ukraine is just misformation from Kiev. Sounds totally legit.
Oh, and I figure out why it’s all in US Dollars. Hah, this is funny. Way back when I was based in Russia — something like 20 years ago, when the Soviet Union had just collapsed, inflation was rampant. Stores had to change the prices on all their products several times a day! To deal with it, they all switched to using Dollars or Euros instead, the traitors! To fix the problem, instead of fixing the economy, the Russian government outlawed the use of foreign currencies on prices. So what the stores did was switch to using something called the “arbitrary unit” — which just happened to be worth as much as the dollar, by pure coincidence. Ever since then, this “arbitrary unit” has been the default price. It particularly convenient during inflationary periods, or when dealing with local currencies in different republics. Plus, everyone knows what it means. So, in this document, they use the term “arbitrary unit” and in others, they seem to have just used the dollar symbol instead.
Also, I can confirm that the ongoing expenses are per month — they spelled that out in this budget.
So anyway, this is another juicy document. They’ve put together a budget for running a fake anti-war grassroots organization.
Initial costs are $79,200 for things like computer equipment, recruiting, registering domain names and getting business and media licenses, and website design. It’s interesting that in both this budget and the previous one I looked at, they’re careful to get all the permits and licenses in place. They might be trying to undermine the government of a foreign country, but at least they’ve got all their paperwork in order!
Then the ongoing expenses are $86,000 and include salaries for regular contributors and freelancers, salaries for editorial managers and copyeditors, a financial manager and their deputy, $2,000 for a lawyer, $20,000 for online advertising, and $10,000 for promotion on social media like Facebook and VKontakte (Russia’s LinkedIn).
They’re expecting 100,000 unique visitors a day on weekdays.
It’s interesting they note that they’ll be playing games with the tax status of their employees — like in the U.S., there’s a difference between paying people as staff (where the employer has to pay a chunk of the taxes) and as freelancers (where the poor schmuck has to pay for everything). Also, in Ukraine, folks living in the disputed territories don’t have to pay taxes. They’re saying that they can save 40% as a result of playing around with this, which they claim is common practice in the Ukraine.
So not only are they undermining a foreign government, but trying to avoid paying taxes while they do it! I don’t know which is worse.
Document docxk7EDEjG06i is a plan for creating a major national media outlet from scratch. It will take $347,640 in startup costs, and about $146,500 a month in ongoing expensies. Total costs, for an eight-month period, are $3.82 million, including advertising costs, and other related expenses. Again, they’re playing around with the taxes. And they’re expecting to get a quarter million visitors a day on weekdays.
This one also has a budget for protection against DDOS attacks. They estimate that this will cost $2,000 a month (including the site hosting itself).
They also plan to sell advertising here, and have an ad sales department, and the editor in chief’s salary will be $10,000 a month plus a share of the ad revenues.
That’s not too shabby… Then they’ve got some projections for costs and revenues after that first eight-month period, which is interesting for those of our readers who plan to launch an online magazine in the Ukraine…
From Translator: This is super evil. I’m really impressed! The idea is is to create a pro-European, anti-Russian website — with the underlying message that the Ukraine will be better off without those annoying eastern provinces, and let Russia have them, so that it can enjoy its wonderful European future without them dragging the country down. So, again, they have an editorial budget. $69,900 in setup expenses, $65,000 a month in ongoing expenses, and plans to reach 100,000 readers a day on weekdays.
From Translator: This is a plan to create a news site to cover the conflict in the disputed territories, because people are hungry for war news. The idea is to make it seem objective and independent, but slip in a pro-Russian point of view. So they’ll use terms associated with anti-Russian reporting, but slant the coverage to make Ukraine look bad. Yicch. Startup expenses: $97,200, ongoing expenses: $126,500 per month, expected audience: 120,000 unique visitors a day during weekdays.
From Translator: This is an analysis of the Ukrainian political system and how a lot of work is done by “shadow” organizations in government. There don’t seem to be any action items here.
From translator: This is an overview of the Ukrainian media climate, and on how anti-Russian it is, and blames Western advisers for some of it.
So here is the context from these documents from the translator for you…
From Translator: These emails seem to have been sent to Georgi Bryusov, who heads up Russia’s wresting federation, and are in reference to a meeting with “PB.” I don’t know who “PB” is.
Bryusov then forwarded them on to Surkov.
So, how likely is this?
Well, I spent a some time covering a similar conflict in Georgia, where there was also a “separatist” province, called Abkhazia, and the conflict there was used to put pressure on the Georgian government. Although it was supposed to be a purely local, homegrown movement, Abkhazia — which didn’t even have an airport — somehow had fighter jets and bombed Georgian-controlled areas with them. (I was in one of those areas with a group of UN observers while it was being bombed. Fun! The Georgians shot down one of the planes which … surprise, surprise! … turned out to have a Russian pilot inside.)
Russia also paid the operating costs for the Abhazian press center, where I spent many a happy day. All international phones calls were free! I could call my editors anywhere in the world, and file stories about the brave Abkhazian rebels! They also fed us and provided us a place to sleep, and organized regular trips to the front lines where we could enjoy being shot at by the Georgians. They also showed us how well prisoners of war were treated and corpses of people killed by the Georgias and, allegedly, mutilated. (Though the Red Cross folks I talked to couldn’t confirm that the mutilations were real and not, say, the expected results of getting too close to an explosion.)
Anyway, the bottom line is that I do have personal experience of Russian spending gold to manipulate the media, in case anyone ever had any doubts that they were willing to do it.
As you can see from the commentary above, and you too can read the documents as well, the Russians set up a media company including websites and formulated plans to manipulate people toward the Donetsk People’s Republic and against a Free Ukraine. I am still going through the dump looking for the bills for the domains mentioned as well and will run them through Threatcrowd and other sources to see if they were used at all for malware C2 and propagation. Which brings me to the use of dnr-online as a C2. Interestingly enough the site itself is not a C2 but it does have connectivity to other IP addresses and domains that are.
The archology of malware that talks to 126.96.36.199 is rather interesting. There’s a bit of everything bad attached to that one to be sure including that MrSweet address that is ransomeware central. 188.8.131.52 is owned/created by beget.ru which has quite the many few dirty connections as well.
Of course beget could be innocent enough but as you can see there is enough of Mos Eisley in there to make one not want to get an account there and set up a site right? I will continue to look into other domains within the networks that dnr-online bought as soon as I can locate the bills for them or domain names and that will be another post I am sure. What all of this tells you though, is that the Russians have always been carrying out these kinds of active measures against people like those in Ukraine as well as what they did to us in the election of 2016. This is not a one time deal and certainly will not be the last one we shall see. In fact, the bots and the domains will continue to be set up by the likes of the SVR and GRU in hopes of manipulating the general populace toward the goals of the Putin regime until it’s demise.
… and likely past it.
THE MALWARE & GROUNDBAIT:
Right! now on to the other interesting bit found in the dump from dnr-online. In looking at the spool I dumped all attachments into a folder and began checking them for malware. All the word docs, excel sheet, power-points etc. The docs all checked out but one zip file had a .scr file in it that turned out to be malware. The file (Центр управления восстановлением ДНР справка-доклад за 13 октября 2015 года.exe) Center for Recovery Management of the DNR certificate-report for October 13, 2015.exe came from an email comiing in from a Russian source to the head of dnr-online. I am unable to source the headers at this time of the email but the question becomes was this malware sent to the DNR by RUH8 or was this malware sent to DNR to send to others in some other campaign. I cannot say either way but, the malware is a new sample of GROUNDBAIT or Prikormka that was detected and reported on by ESET running rampant in Ukraine. Given that ESET claims that this malware was being used against the separatists in Ukraine it stands to reason that the logic here is that the malware was to be used by the propaganda campaign against those it was seeking to manipulate. However, the nagging thing for me is the way this was passed around. The email has no real context in the text and to me it seems to imply that it is a fix for things inside dnr. My other thought is that maybe someone got hold of the GROUNDBAIT raw sample and re-used it by re-packing it and setting it against dnr-online.
An interesting notion…
I contacted ESET and talked a bit with the guy who did the work and he was.. Well.. Not so helpful. So here are the IOC’s for this file for you all to look for.
Filename: Recovery Control Center Help DNR-Report for October 13, 2015
SHA256: f9a96ad58fb946981d196d653ec28fa31d6f946a7e2f6784b317dd9adc557b62 (AV positives: 52/57 scanned on 04/30/2016 07:33:42)
File raw: zip file: zipnh4dZDtMUk.zip
“archive.rar” has type “gzip compressed data from NTFS filesystem (NT)”
“helpldr.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“samlib.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“rbcon.ini” has type “ASCII text with CRLF line terminators”
Writes directory archive.rar (exfil)
Connects and downloads second stage: GET http://wallejob.in.ua/wd.php?sn=2120161230091201&rb=7&ob=R_pol_x&bt=0 HTTP/1.1
descr: Domain registered for customer of Ukraine.com.ua
status: OK-UNTIL 20170619000000
changed: email@example.com 20160907200219
Found malicious artifacts related to “184.108.40.206” (ASN: , Owner: ): …
URL: http://wood-house.com.ua/ (AV positives: 2/68 scanned on 12/27/2016 16:55:43)
URL: http://wallejob.in.ua/ (AV positives: 5/68 scanned on 11/17/2016 02:10:28) <—GROUNDBAIT C2
URL: http://zarabatak.ru/ (AV positives: 1/68 scanned on 07/20/2016 10:59:29)
URL: http://psh.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:35:37)
URL: http://sem-dev.co.ua/ (AV positives: 1/68 scanned on 07/14/2016 04:33:23)
created: 2014-11-07 13:31:27+02
modified: 2016-11-03 16:37:39+02
expires: 2017-11-07 13:31:27+02
organization: SE Rabotnov Volodymyr
organization-loc: ФОП Работнов Володимир Володимирович
person: Vladimir V Rabotnov
person-loc: Работнов Владимир Владимирович
e-mail: not published
address: not published
address-loc: not published
phone: not published
created: 2013-04-05 15:01:02+03
modified: 2014-01-08 23:42:17+02
TYING IT ALL TOGETHER:
So what we have here is the insider’s view of how dnr-online, a propaganda wing within Ukraine’s Donetsk People’s Republic put together a media service(s) and planned to use them as a framework of Russian propaganda in the region. We also have malware that is known to be actual spycraft in the region within it’s mail spool being passed around at least to two sources inside, one of them being the director of the DNR company. Was that malware meant to infect and eventually allow for the dump in the darknet or was the malware being passed along for other uses that we cannot see in this spool dump? In either case this information makes it clear that in Ukraine the Russian propaganda and espionage machines are alive and well and using the net as a force multiplier at the very least.
I will continue looking at the growing dumps by RUH8 and let you all know about any malware and goodies that pop up. It is also of interest to you all that this dump has been around and certain groups have looked at it and just sort of said “Nothing to see here” which is interesting to me. I mean malware that no one has seen really and plans for propaganda in the region are of no interest? I guess maybe these groups just did not want to spent the cycles on looking deeper into the data. I actually did with the help of others as well as checked the forensics on the metadata to insure the stuff was real.
…but that’s just me… I am not a churnalist.
More when I have it.
UPDATE!: One day after this report one IP address involved as a nexus of malware has changed it’s domain name! Coincidence? Hmmmm?
So yeah, I posted a story last week about how a dump of data in the darknet seemed to be in fact Paul Manaforts daughter’s iPhone. It seems that this story was just too good to lose for Politico and the unscrupulous reporter there lifted not only my story but also my images! (yes the hashes match, he just saved them local and re-named them) Politico has done nothing to remedy this and they are churnalists of the worst kind, but they did at least call some people in the Manafort court to see if they would admit to the hack and they did. I could have told them that the hack was real because there was more that I did not post on the blog last time. The fact of the matter is that in the dump there was also a SQL dbase that I got hold of, and in that dump there’s one little interesting factoid. Paul Manafort has an email address that seems to be on a personal domain that isn’t really known about. In the dump connecting with his daughter is a personal iPhone for Paul and in that connection via text is his email address (firstname.lastname@example.org) when you look up this domain you can see it is one of a few that belong to the Manafort family but registered by another party; one Todd Hankins. Now it seems to me that in an era of “BUT HER EMAILS” this factoid might be of interest to say, I dunno, the IC that he has this and his email is being sent to and from this cutout domain.
Now the domain has never had a site on it and as far as I can see with the limited looking I have done this domain has been kept kinda on the downlow as the Manafort name is not on it like the others. The ONLY thing connecting it to Paul now is the email address and the fact that Todd there set it up for him in 2010. I personally find that interesting… You? I have passed this little tidbit to the right people but now I am going to go wide with it… One wonders as to what emails might lay within that pesky little email system at dmpint.com
Let the FISA WARRANTS FLY!
Google that domain and see what you get… It comes up all Ukraine travel sites… What does Google know hmmmmm?
Distributed Denial of Service has been the go to tool for the script kiddie and Anonyous over the years but recent developments have shown that this tool may be evolving and maturing with new use by actors within the nation state arena. In fact DDoS has been used before by Russia on Georgia in 2008 and again recently on the attack of the power grid in Ukraine. The types of attacks varied but the end state of denying service to sections of infrastructure have been the same in each of those occasions.
What was once considered to be just a tool for skids is now fast becoming a dangerous tool for other attacks that in tandem with kinetic action, could be the prelude to war or, more to the point, smaller actions that may not lead to the intensity of war by the standard definition by countries like the USA. This blog post contains a set of scenarios that could possibly play out but they are more so thought experiments to show the potential use of a denial of service in hybrid or network centric war that includes information warfare, CNO, and CNE implications.
Directed Attacks on Infrastructure and Defense (Schneier)
In a recent post on his blog, Bruce Schneier alluded to some very directed DoS activity against infrastructure of the internet. He was not really forthcoming with the data but I too had heard of some activity and thus began to ponder who might be carrying out tests of new denial of service tools. His go to on who was carrying out the attacks was China, which was a poor choice in my opinion and wrote an off the cuff retort here. I believe that another actor is afoot in that one and as you read below that actor is DPRK. I think this for many reasons that I will cover later.
In any case, the attacks have been systematic and show planning in a way that alludes to a desire to take out large areas of the internet and or command and control systems for the nation(s) that would degrade our abilities to fight a war, carry out daily business, or just surf the web. Of course the former is the most important and likely the aegis here rather than the latter for this adversary.
Another event that has taken place in rapid succession to the attacks on infrastructure was the DDoS of Brian Krebs website after he outed a company that performs DDoS as a service in Israel. This attack for the most part appears to me to be revenge for the takedown he was part of, but he has over the years managed to piss off many of the skidz out there today so the list of names grows exponentially there. What struck me though in this attack was that the tool used was then burned by it’s one time use on Brian. If this actor were someone within the space of nation state, they would not want to burn the tool so to speak.
In fact, post the hubbub of the determination that the tool in question leveraged a botnet consisting of IoT devices (Internet of Things) the author dumped his code online because within days he already was seeing his output diminish because ISP’s were cleaning up their acts and denying access to insecure IoT devices and telnet sessions that had default creds. With this revelation it leaves the tool up for use to some, upgrades to others, but overall it is burned as tools go for surprise attacks. Of course the tool’s DDoS is carried out by GRE packets which is a hard one to stop. If others find new sources of bots for the botnets then the tool once again can be fired and take down the targets pretty readily, so there is that.
South Korean Router Hack
The Yonhap News agency recently put out a report stating that the ROK military had suffered an attack on a ‘Vaccine Routing Server’ at their cyber command in Seoul. I am still not sure what a vaccine routing server is other than perhaps a bad translation from Korean to English but if it is in fact a router, then this attack could further a DDoS quite well. Of course this attack if carried out the right way, could be just like the OVH attack that leveraged traffic directly through to the back end of the OVH infrastructure. This type of attack would be devastating on any network. If in fact the OVH attack was another “test” of another, as yet un-named tool, then leveraging such a router compromise on the ROK cyber command by DPRK would be the next best thing to just dropping a missile on the building, which would likely happen right after the DDos begins in a lightning war.. But I digress.
So with all of these things in mind, I would like to next discuss the tactical use of DDoS in a hybrid warfare scenario. In the cases earlier stated with Russia, both types of denial of service were used in differing capacities. In Georgia, they used the DoS to cut off the country’s communications both internally and externally leaving them dark the rest of the world. In the case of the recent attack in Ukraine they did not use the common tactic of DoS by packet, instead they used a phone DoS on the helpdesk at the power company as well as other tricks like attempting to re-write the firmware in the ICS/PLC environment so that the power would stay down after the attack. Both of these attacks plainly show the value of this type of attack but below I will go into the thought process behind their use.
Deny, Degrade, Disrupt & Psyops
DoS of any kind’s main goal in a warfare sense is to deny access and communications, degrade access and communications, and disrupt access & communications. These primary goals have sub goals of slowing the adversary, denying the adversary, and disrupting their abilities to respond to attacks. If you carry out these denial of service attacks on communications lines for say military command and control (C4ISR) then you are effectively blinding the enemy and or disrupting their ability to respond and prosecute a war.
Years ago an example of this was carried out in Syria by Israel when they attacked a radar station electronically and allowed their jets to make it through unseen by the air defense of the country. This operation (Orchard) leveraged this electronic attack to destroy a nuclear facility before it went live. In certain situations these attacks also can have the added benefit, or even the main goal, of prosecuting a PSYOP (Psychological Operations) on the affected country by destabilizing their networks (public and mil) and sow distrust of the infrastructure as well as cause pandemonium. I will write further on the PSYOPS angle below in one of the scenarios.
Signal To Noise
In some cases a DdoS can be used to distract an adversary while you are attacking a specific asset(s) in a hack. This type of activity has been seen in some of the Chinese activity in the past. This type of attack is quite successful as the IR teams are otherwise engaged in trying to mitigate being offline, it is easy to miss a certain network or device that may still be connected and being attacked. With the masses of data being aimed at the defenses it is easy to miss the attack within the deluge of bad data.
Scenario One: Core Infrastructure Attacks on ROK and USA
With the attacks on infrastructure mentioned above, and the ROK Cyber Command attack on a “router” this scenario concerns a “short war” which is the favored type of warfare by the DPRK. In this attack the following happens:
- DPRK launches a DDoS of some kind(s) on ROK and US assets to disrupt C4ISR
- DPRK engages their rocket batteries just outside of the DMZ with a three minute flight time to Seoul
- DPRK launches other forces and attempts to overtake ROK
It is within the nature of DPRK to attempt this kind of attack because it is doctrine for them, they have nothing to lose, and they would aim to deny, degrade, and disrupt ROK’s allie, the US with the types of attacks we have seen recently with the GRE packet attacks. Of course there would have to be other maneuvers going on and other attacks within the spectrum, but this attack vector would be easy enough for DPRK to leverage in a kinetic hybrid war scenario.
Additionally, the use of DDoS by DPRK is a natural fit because of the lack of infrastructure within the hermit kingdom. If DPRK were to leverage DDoS like the GRE elsewhere, it could easily do so because of the aforementioned lack of connectivity as well as the norms today for warfare do not really cover DDoS (yet) as a type of attack that would require a kinetic response. DoS and DDoS are the perfect asymmetric cyber warfare tool for DPRK and I for one would not be surprised to see in the near future, it’s use by them in scenarios like these.
Directed Attacks In Concert on US Elections
The following scenario concerns the upcoming US election and the possible use of DoS/DDoS as a tool to sow mayhem during the process. Russia seems to be actively tampering with the US electoral process in 2016 through direct means by way of hacking and cyber warfare tactics. However, this attack could be just as easily leveraged by DPRK or anyone else. I am using Russia in this instance because it is October and, well, you all have seen the news lately right?
- Russia attacks the internet infrastructure within the united states to deny and degrade access large scale
- Russia attacks polling places connectivity either by the larger DoS or direct action against polling places and the electronic voting machines connection to upload results
The net effects of these types of attacks on the voting systems on the day of the election would have these potential effects on the process:
- Insecurity and fear that the US is under attack
- Insecurity and mistrust of the electoral process through electronic means
- Not all voting systems have the paper backup so counting ballots would be null and void in some areas
- Re-counts would occur
- The parties (Dem and Rep) specifically in this heated election race would demand redress on the systems being corrupted by possible hacking attacks
- Election results could be null and void
This scenario is quite possible and it does not have to be fully successful technically to actually be successful as an attack. The net effect of PSYOPS on the American process and people would already be carried out and in effect. Given this election cycle’s level of crazy, this one would be very hard to control and not have it spin into disarray. It does not take a lot to throw a monkey wrench into an already contentious election where persistent October surprises from hacked data are being splayed across the scrolling bars of CNN.
With all the scenarios laid out, it is important to now cover the two actors and circle back to the events recently concerning DDoS. In Bruce’s piece he immediately went to the old stand by that; “China did it” I however do not agree with this assessment and the reasons are due to the nature of the actors and their motivations. Rational actors versus irrational actors are key points to consider when you are trying to attribute an attack like these recent attacks. All of this is speculative to start, so please bear that in mind with the attribution I make. (see dice above) For all I know these attacks could all just be cyber criminals seeking to hawk their “booter” service.
Who’s to say really?
Per the assessments of CSIS and other experts on DPRK there is not much to go on in the way of hard data on cyber capabilities and actions from North Korea. However, they do have patterns of behavior and doctrine that has been smuggled out of the country in the past. The use of asymmetric attacks that take very little resources would fit perfectly with the DPRK’s desires and modalities. As mentioned above also, this type of attack would fit well with their “short war” stratagem.
North Korea under Un has shown a willingness to use cyber warfare tactics in attacks like Sony and understands they have nothing to use by leveraging them. Sanctions are not going to work on them even with the pain they may cause. The same can be said for attacks like DDoS, there is a low threshold to entry and use and they have a large asymmetric win in the eyes of DPRK. I would recommend that you call click the link at the top of this post for the CSIS paper on DPRK’s cyber capabilities and structure.
Russia is another animal altogether. Russia plays the game brashly but most of the time very smart. In the case of DDoS use we have already seen them leverage it in tandem with kinetic warfare and do so with success. Their recent use of it as a digital stick on Ukraine as well show’s that they are not afraid to use the attack in their back yard. However, use of it against other nations might be a bridge too far in some cases. The scenario I have laid out though with regard to the nations elections in November 2016 is quite plausible and the burden of proof that the DoS was carried out by Russia or a proxy would be hard to prove in an international court.
Another aspect of this scenario is just how far of a response would the US take if such attacks happened? With attribution being what it is, how would the country respond to an attack of this nature and what good would it do if the process is already tampered with? This scenario is mostly a PSYOP and once again, the damage would have been done. With Putin’s recent aggressive moves (re-forming the KGB and now walking away from the nuclear treaty) it is not beyond the scope of possibility that his penchant for disruption would win out.
Russia is a rational actor and this would be a rational attack. Imagine if by an attack of this kind it tips the election in favor of Trump?
The DDoS attacks that have been happening recently do show that something is afoot. That something is coordinated and is being used to target key aspects of the net as well as DIB partners. What the end goal is and who is doing it all is still a mystery, but, these scenarios above are just as valid as once again pointing at China and yelling “THEY DID IT!”
Maybe something will happen in the near future…
Either way, one should consider the adversaries who might be at play.
UPDATE: Evidently I am not the only one who is thinking along these lines… The Daily NK had an article come out the same day, thanks to @JanetInfosec for the tip! According to this article they are assessing that on or near 10/10/2016 DPRK may attack ROK with electronic/hacking attacks as well as perhaps more launches of provocation.
I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!
“I summon the Russian GRU!”
“I summon the LONE ACTOR!”
“I summon the KGB!”
*slaps down cards on table* TAKE THAT!
The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!
So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.
So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”
Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?
Metadata and Cyrillic:
Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович) Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!
You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…
- Much of the data was stamped out in saving from format to format
- Emails of users though were still embedded in the excel files
- The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
- The image files have no metadata.. none.. niente clean.
- Grizzli777 is just someone who pirates
Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.
*squint.. takes drag of cigarette*
So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!
All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!
Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!
It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?
Motivation Analysis and Hypothesis
RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…
Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…
- Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
- Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
- If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
- Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
- Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!
So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????
Why Pooty of course!
Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin? *sorry had to use that one* Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.
That’s my theory and I am sticking with it… For all the fucks that it is worth.
I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.
See you all in INFOSEC attribution Hell.
According to ESET Virus Lab, the worm has been active for several days, lately in the U.S. and Iran withalmost 58 percent of all infections being reported in the United States, 30 percent in Iran and slightly over four percent in Russia. The cyber attacks in the U.S. and heightened activity of the worm in Iran come in the wake of persisting tensions between the two nations over nuclear ambitions of this Middle Eastern country.
“This worm is an exemplary case of targeted attack exploiting a zero-day vulnerability, or, in other words, a vulnerability which is unknown to the public. This particular attack targets the industrial supervisory software SCADA. In short – this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does,” said Juraj Malcho, head of the Virus Lab at ESET’s global headquarters in Bratislava, Slovakia.
An interesting angle to this story is how the worm spreads. “For a truly targeted attack it would have been coded to make specific checks to see that it only ran where it was supposed to and did not spread. Spreading increases the odds of detection. If the attack was aimed at only US systems, then the attacker would not want the code appearing all over the world. This fact might indicate a number of potential attackers,” said Randy Abrams, director of technical education at ESET in the U.S. “The ability to attack power grids throughout the world would be very appealing to terrorist groups,” concludes Abrams.
Full article HERE
Interesting choice of countries to attack… What would be the motivation for just those two countries in a targeted attack? Could there be some cross polinization due to the actions of one country on another? Lets say for instance, the Iran got infected by something they procured or had access to within the US? Or vice versa? My bet though, is that this is a targeted attack on the systems themselves and not country centric. Any country using like technology, likely has the new worm in their midst and may not know it.
Of course, just how many SCADA systems are prevalent today? As well, just how many have been connected to systems that face the internet in some way? That is the operative question I guess…
As for the contention that this is industrial espionage.. Well, I might think it is more groundwork for something else… Here it comes…
Cyber Warfare Oh my, I said it didn’t I huh.. The talk lately has been so back and forth between detractors and believers that no one really is getting “it” No matter what you call it, no matter who you want to attribute it to as attackers go, here is the proof of concept that even if it is not “happening successfully” yet, they are trying. That is the important thing to keep in mind. What people fail to understand is that the whole US grid need not be knocked out to make a cyber war or to be successful. All you really need is for the target of your choosing that will fulfill your desired outcome, to be taken down or subverted in whatever way you want it to be.
I am sure the bickering will continue and the government will look at this and think they have to create another agency or sub group to think about it more.. In the meantime though, we still have the problem of these systems perhaps being connected to networks that are not secure, whats worse, those networks may in fact be internet facing and thus able to be C&C’d from remote locations like mainland China.
More has come out about this 0day and the supervisory systems attack (I wonder if that is the only vuln attack here or is it just one of many coded into this effort?) It seems that the Siemens software and an old and well known SCADA password for it on the internet, has been coded into this and has been seen in the systems spoken of above.
IDG reported that Siemens issued a warning on Friday saying the virus targets clients using Simatic WinCC, one of the company’s industrial control system software offerings that runs on Windows. The virus strikes at a recently discovered Windows bug that affects every Microsoft operating system, including the recently released Windows 7.
The virus transmits itself through infected USBs. When the USB is plugged in to a computer, the virus copies itself into any other connected USBs and, if it recognizes Siemens’ software, it tries to log in to the computer using a default password.
Now this article has language from Siemens that alleges industrial espionage and not so much prelude to attacks on a networked system such as the grid. One wonders just what the straight story is here. In either case, the incursion of the worm and the accessing of a known pass/log to a SCADA system is not a good thing for those of us trying to protect said systems. Would not one looking at this on the face of it think that it was an attempt to gain a foothold as well as intel on SCADA systems for future use?
Better keep your eyes peeled…