Archive for the ‘Spooks’ Category
Bellingcat: OSINT Playing Games Where People Tend To Get Burned and Dead
Recently there has been a lot of hubbub about Bellingcat pivoting from tracking military movements and downed planes to exposing GRU operatives who have carried out poisoning operations in the UK. Personally I have watched with a mix of trepidation and angst over what they have been doing recently with the liquidators they have fingered for the Skripal poisonings. I have mixed feelings on all this because while I think they may in fact be right, they could also be being used by their “sources” in Russia as well as possibly be used in future to their detriment by Russia and other nation state services for disinformation operations. Even worse, this group and their OSINT could in fact get in the way of real operations by those same services of friendly nations and could endanger themselves if not others in the field by dropping these bits of intel.
OSINT is a new flavor of the day in the information security world but it has been a long standing practice in certain circles in the other community. The difference here is that the OSINT carried out before was by trained individuals within the intelligence community and not put out for general consumption for the world at large. Today, we have Bellingcat dropping all kinds of data that may or may not be correct that is messing directly with operations by a rogue nation (Russia) and a dictator (Putin) that has no compunction about just killing off the people who oppose him enough to cause him heartburn. This is the big difference here and I just want Bellingcat to take that into account as they do what they seem to be doing with regard to GRU ops. As far as I know, the people who work for Bellingcat are not former intel community, maybe there are some, someone can let me know, but you have to consider that the majority of the people there are not spooks and might be out of their depth in this regard.
Additionally, I would like to reiterate that these discoveries could be actually disinformation provided to you all by services like the SVR to hurt the GRU too. In the world of espionage you are forced to live in the wilderness of mirrors kids. Intelligence analysis is a real art and I am just not so sure your carrying it out completely with these dumps on the GRU carefully considering that fact. Just please consider that you are being played now and if not now, you will be in the future to your detriment by nation state actors for their own goals. That said, please take everything some group gives you so handily, even if the data is in fact correct, as a possible dangle or disinformation operation before you just dump it to the BBC.
Lastly, let me just say again in rather plain language, playing this game can get you dead. Russia is at a point with Putin that they just don’t give a fuck and if you are in their way, and enough of a problem, they will destroy you or kill you. Just look at Sergei and his daughter! Or for that matter, look at Anna Politkovskaya, Alexander Litvinenko, and more than a few other impediments that Putin got rid of. It may not happen now, but I can assure you if you piss them off too much, you will get their unwanted attention.
Just a caution….
Oh, and while I am talking about deaths, it seems that a relative of one of the assassins has been perhaps made missing or killed in Russia as well. So, you all have to consider the possibilities of your hubris in what you do in the form of innocent collateral damage to others.
Just sayin…
K.
The QNB Hack: Cui Bono?
The Dump
The recent dump of data from the Qatari National Bank was of interest to me and many others because it was purporting to have the accounts and identities of spies within it’s csv and text files. I downloaded the files from Cryptome thanks to someone pointing me in their direction and took a nice long look. As the story has unfolded it has come to light that the bank itself says the data is real and that they are now “completely secure” which is amusing given that this was an ols SQLi attack that netted this Turkish hacker group the jewels of QNB.
The dump consists of the oracle database files, the passwords, and the banking information of all the users therein. I have to say that most of it is really quite pedestrian but then the hackers, or the bank management, created file folders (as seen above) that marked people as spies, Mukhabarat, Security, Gov, and other tantalizing names. I first had thought that the file folders and their speculative names had been created by the hackers to sex up their dump but it has come to light that if you look within the database dump itself you see the directories and names have headings like intelligence and defence. So it seems that the bank itself may in point of fact created these tags in the belief or inside knowledge that the people in the data were in fact what they claimed, or at least thought they were.
The Spies
I looked at all the interesting folders and the data all the while wondering about the validity of the idea that these names were in fact corresponding to real assets, NOC’s or just functionaries in Qatari space that had just been quite well blown by this hack and subsequent data dump. On the whole I would call into question all of the names being linked directly to espionage organs. I really have to wonder if the bank would in fact be that “in the know” about spooks in their country and really have to be circumspect about their putting that in the users bank records. I mean even the Mukhabarat would at least demand that it be obfuscated one would hope by a code of some sort and not just in the headers/directories themselves.
It really kind of feels like the natural tendencies of the Arab nature had gotten the best of the database admin and the managers of the bank and they believed that these people were spies without there being any real proof. In any case, if these people, especially those who are FORN and in country, now may have some trouble with people thinking that they are really spies and subject to attacks. Imagine if you will any jihadi types who might take this data as gospel and go after these people for da’esh or AQ. This could be bad. I have yet to hear of anyone leaving their positions or the country. If I were one of them I would at least be looking over my shoulder henceforth.
The other data I can see perhaps the military accounts and names being totally on the money because they are their own Ministry of Defence and really, that is not top secret stuff. Likely the bank see’s where these people get their pay from (Qatari funds from the gov) but even these people could now be targets because this hack was motivated by political means it seems after all.
Cui Bono?
It seems that the Bozkurtlar (Grey Wolves) a Turkish political group and their hackers were the perpetrators of this hack. There is a long history between Turkey and Qatar and most of it seems kind of benign but when you scratch the surface a bit you can see that there are some issues between them as well as some synergies in their support of certain terrorist groups like da’esh. (click linked image below)
So, “Cui Bono?” Well, certainly the Grey Wolves, to what end I am not completely sure. They did post their video before the hack hit the pastebins out on the net so it was pretty much their gig but I still don’t quite understand why. Perhaps these hackers are quasi wolves and or it is some other entity using the wolves as a cover for their activities. Given that there has been no real perceived fire coming out of Qatar over this nor in other areas of the world that we are aware of, I kind of doubt all these people were in fact assets of foreign powers.
At the end of the day, this just turns out to be yet another derpy easy hack using SQLi on an entity that wasn’t performing any due diligence but it had the sexy sexy for the masses with the idea that some great hack exposing spies had occurred. In my opinion not so much really. So hey Grey Wolves, gimme some more context would you than some poos British shmucks MySpace page in the future would you?
K.
ASSESSMENT: The ZunZuneo “Hummingbird” Social Network and The Cuban Spring
Cuban Intranet and Internet Access:
Cuban internet access is minimal and very controlled the the government. There were as of 2011 about 124K addresses listed to the .cu domain on the internet belonging to Cuba and the average ownership of a computer was low. The same was true over cell phone ownership and use compared to other Caribbean countries. The regime’s control over all of the infrastructure pervades to the intranet being primarily a tool for propaganda and a means of control via surveillance on those who could access it.
Internet access though became a feature to the rich in the country or the political (both are the same in reality) and one could buy access to the internet for a hefty price underground. In fact some blogs have shown up over the years on the proper internet after dissidents paid for or obtained access either themselves or by exfiltrating data to outside sympathizers for publication on blogs like WordPress or LiveJournal. Generally, if you wanted a source of outside news you had to either buy access to the internet in the black market, get it on the streets from people with SW radios, or by some other means. This control over the media and technology has perpetuated the control of the Castro regime and allowed his dictatorship to continue.
Cuban Telco:
Cubacel also is a single proprietorship of all cell phone communication (state run) on the island and in fact the ownership of cell phones is one of the lowest as well in the world for penetration of cell phone owners and use. This too means that the Castro government has greater control over what the people can access as well as a single point of surveillance that can be used as a mans of control as well. Of course today this is all being said in the age of the NSA tapping just about everything so please take this with a grain of salt and the knowledge of how that makes you feel about surveillance by any government.
I am unsure of the prevalence of cell phones today in Cuba but I am guessing that these statistics are only a little different today due to the controls that the Castro government has in place over it’s populace as well as the poverty rate of the island itself disallowing general ownership and use. While the numbers may have grown so too might the attitude of the government due to a shift in power from Fidel to Raoul Castro. While the former was a bit more hard line the latter seems to be a little more open to allowing the country to loosen it’s grip on the people and allow communications with the US. This may also play a part in easing the minds of the people into thinking they could in fact use cell phones and platforms like ZunZuneo to air grievances.
ZunZuneo:
The ZunZuneo platform went live in 2010 and was a “Cuban Twitter” which was text based on the cellular network on the island. It was in fact a program put in place by USAID (likely a covert program run by CIA in reality) and ran until about 2012 and at it’s end it had about 40 thousand users on the island. The broad idea of the project was to have the Cuban’s generate their own “buzz” around dissident ideas and allow them a means to text one another outside the controls (ostensibly) of the Castro governments eyes and ears. This though likely was not a complete success nor was the program a success from the standpoint of mass demonstrations happening either as far as can be seen by any news sources reporting on this.
ZunZuneo was inserted and run by contractors and purported to be a Cuban creation with cleverly hidden funds and controls from USAID/CIA. The program’s aegis was to insert itself, gain a user base, and then to start to send texts to the users to spur political unrest against Raoul and Fidel Castro’s government. In the end the program came to a sudden halt due to finance issues (alleged) but the reality is it never actually got the directive to insert itself as an influence operation. It operated unbeknownst to the users and in reality was a failure because I think USAID and CIA had hoped they would see dissent traffic on it’s own. It did not and thus perhaps the idea was seen as not feasible and the finances were withdrawn.
Influence Operations:
Influence Operations are nothing new and over the years many have been carried out on places like Cuba. With the advent of new technologies like the internet this has become even easier to carry out on average when the populace has easy and free access to the net. in the case of Cuba this is not so much the case like the DPRK. I would say though that Cuba has a much more permeable information border than the DPRK due to it’s geographical location as well as the current regime’s leanings towards opening up a bit more. Though it is still the case that the current government still holds all the keys to information flow as well as a secret police force that controls the populace who get out of line. So it is no paradise of freedom and beauty.
That the US decided to use USAID to carry out this operation is an interesting choice but in their charter is the mandate to “spread democracy” so while some might question the aegis here and say that this was a rogue operation I don’t necessarily agree with that. One must understand that at least USAID has access to many places under its mission in general of providing humanitarian aid so there is purview there. The question though becomes do we want to taint such an org in the future and deny access to critical areas where people really do need help? This will be the fallout from this in general globally and likely will hurt people in the end. As influence operations go though this was a bit of a flop in the short term however. In the long term though perhaps this may lead an internal company or group to create a new ZunZuneo because the 40 thousand people using it really enjoyed it. If someone were to create a new one and if the populace felt that they could in fact speak their minds freely, then maybe they would rise up.
ANALYSIS:
My analysis of the ZunZuneo operation is that it was a novel idea but lacked oversight. An influence operation that inserted itself as a platform for communication in a place where cell phones and internet access is tightly controlled was a gambit that was bound to fail in my opinion. This was in fact the digital equivalent of releasing balloons with propaganda over the DPRK (which is ongoing today) and does not have a penetration level at which a real traction could occur. It is my belief that the CIA/USAID thought that what they had seen with popular uprisings like the Arab Spring could be effected in Cuba internally by it’s populace. What they failed to comprehend was the amount of outside help the Arab Spring had from the likes of Anonymous and the general internet to assist them in carrying it out. In the case of the Arab Spring and other incidents the governments attempted to clamp down on communications that they controlled only to be denied absolute control by key players outside allowing access through POTS and other means.
In the ZunZuneo scenario two things did not happen to cause it’s failure at the end. One was that the populace who had access perhaps did not feel they could speak their minds because everything was on Cubacel to start with. The second was the fact that this program was not a populist movement from the start. You will note that the other “spring” incidents had access to the internet proper not only on twitter but also by other means. These countries already had a populace who had access to external information and were consuming it regularly. The same cannot be said about Cuba in general as I have described it above. The traction just wasn’t there because the people know already that the vehicle that the information operation was to use was already monitored by the government that is oppressing them.
At the end of the day though I have been seeing an easing in the Castro regime since Raoul took over from Fidel and this would I hope, continue as the two of them age into retirement (aka their graves) and the people might have a chance at that point to make a change. Time will tell just how much more Raoul opens things up post this little debacle. However flights in and out of Cuba are more plentiful and there is a flow of monies etc that could be much more beneficial in the long run than any influence operation ever could. My fear though is that the old guard Cubano’s in Florida may have had a hand in this as well and there may be more out there in the wings. It could upend the growth that has happened and that would be a shame.
K.
No, You’re Not A Spook Just Because You Track Social Media and Do OSINT
rlutjiggsqi71pdmksnpocypnxoueuhfcvhbgcry?
I Know, I AM A Broken Record But…
Gah! The bile has finally risen to the point where I feel compelled to blog (aka rant) again. What has me discomfited this time? Well, glad you asked, it’s all of these numbnuts out there on the Internets saying they are spooks, or inferring they are spooks because they track social media and claim to be OSINT specialists. Increasingly I am seeing these people listing that they will be at con’s or they offer services or god forbid have it on their LinkedIN account next to “Uber secret special internet cyber security specialist commando imperator” or somesuch bullshit title that they came up with during a nocturnal cyber emission.
Lately the Internets have been thick with this loamy bullshit and my limit has been reached, and thus a screed is born. Look, unless you went to “The Farm” or somewhere else under the auspices of some “agency or service” you are not a “secret agent” no matter what you think you might be able to pull off online as a moniker. You are not a secret SOF officer or for fucks sake James Bond of the Internets ok? Let me tell you a little secret as well. There’s a great difference between an “analyst” and a “special operations officer”.. I guess you never read those books or taken a class have you?
DERP.
Look, just cut it out. You are much closer to being a Johnny English or a Maxwell Smart than you are to being George Smiley ok? *note all fictional!!* In the real world, and yes, your shit from the internet does effect the real world (meatspace to some) and when you do shit wrong or poorly, you can have repercussions that can range from “oh look how cute!” to “That’s it, jail time for you on the charge of douchery”
… And the douchery has been epic.
The Spook Shingle Is OUT!
Lately (ok over the last couple years really but I’ve finally had enough) there has been a deluge of self styled spook types out there with their digital shingles out. They range from mildly douchey to “OMFG You’re title is what?” It’s all a matter of degrees I suppose and some out there are just waving it all in the wind in hopes that someone will take them seriously and buy into their bullshit to get paid. Of course many in the community call bullshit on them but still, there lurks the odd C level who says “Oooh they look important because of their important titles with the spooky lingo” So in the end, some of these Cretans get paid for their dubious skills and that is dangerous in and of itself, I mean, this is how the Ligatt’s of the world make a living (i.e. douchery and gullibility)
Take a wander through LinkedIN sometime and you can see for yourself some of the epic titles out there that are followed by little to no experience on the profile. Still others make more shit up *freewheeling it* in hopes that the language and imagery will just bamboozle you into believing their dreck. It might amuse you for a while, you’ll giggle and then perhaps you will realize just how stupid it has all gotten and you will have an aneurysm. At the very least have a look though to understand the proportions of it and lament.
I Track Social Media and It’s OSINTSAUCE!
Meanwhile, many today are claiming to be performing “OSINT” (Open Source Intelligence) and featuring the angle that they are specialists in “Social Media” Each time I see or hear this I have a petite mal seizure and pray it will be the “big one” that will my own little ceremony of the cremation of care. Unfortunately I keep waking up and there they are, still sat there making prognostications over twitter and facebook feeds. The big problem I have is are they just looking at these feeds or are they interacting? How are they analyzing what’s being said and with what kind of rigor before generating some report for whomever? Just what exactly are they doing? Is it really “OSINT” or is it just loose reporting of the diatribes of Anon’s 140 characters at a time?
Looking back, I see the same thing with Aaron Barr and the HB Gary affair, he said he had nailed down the leaders of LulzSec via OSINT/SOCMED but when the time came, and the data was laid bare to the masses he had nothing right. Is this OSINT? One word.. “No” However, it does make a real point that many seem to not get.. OSINT is “INT” meaning Intelligence. Intelligence is not a game of “Slam Dunks” unfortunately now VERY clear to George Tenet in hindsight. You are dealing with information that usually comes from sources that could be outright wrong, or misleading you on purpose. It is the job of the analyst to correlate the data, fact check as much as possible, and then report on what he/she has discovered. Unfortunately, many of the people out there today claiming the mantle of OSINT specialist don’t have the benefit of that knowledge, nor have the background to do so, but they do anyway. Of course this also covers those not doing it as a job but instead for fun online or with some grudge to work too.
A DOX Here A DOX There.. DERP, DERP, DERP
Then there’s the “D0xing” as made popular by Anonymous. Frankly I have been amused by some of the lulz here but schadenfreude aside, what’s the point? I have harped on this before in posts about Anon exhorting them to do better if they were going to be “moralfags” (their term for it) to enact change. If it’s for the lulz well, that’s all it is whether the dox are right or wrong. However, if you are trying to effect change for the better, your dox better be right. A recent posting over the rape charges in Ohio on LocalLeaks is a case in point. The site is touting the release of the email spool for a “fan” of the local football team who may or may not be close with its players.
The dox drop of the mail spool is accompanied with innuendo about photos within that “may be” of an underage person (see post on site) While the rear end in question is certainly not of a 90 year old, neither can it be said that it is at all anyone underage either. Upon looking at the other “evidence” that Anon has dropped, nothing else shows much as to their being any untoward activity by Mr. Parks. This is the problem with bad intelligence gathering and analysis, you are not doing anyone a service when you only have some information and then you decide to make the rest up to fit your story (ya know, like the WHIG before Iraqi Freedom right?)
The same goes for those within the security community that speciously claim intelligence wins with data from social media etc because in the end, nothing in the intelligence game is a “slam dunk” it’s all just meant to inform your clients as to what seems to be going on. Unfortunately all too many people are going about this with the misperception that their product is correct in the first place and that they know what they are doing in the second.
Internets Is SERIOUS Business
In the end I just wanted to take the time to call bullshit on a lot of what’s out there today.We have many a charlatan running amok as well as more than a few pathetic individuals living out their super secret agent lives online in hopes that someday they will wake up and it will be real. The real spooks (other than the ones being arrested for leaking and given 10 year sentences) are usually pretty quiet. Others, well they are often making big claims about being all spooky and in the know.. I guess the axiom should be that the quiet ones are the real guys and the shameless self promoters are.. Well, not.
That especially means you zan.pklvnxwiin.fxh
For the most part though, I have to give credit to the 4chan’ers for starting the meme of “Internet is serious business” because it really is the case for the most part. Sure there are always larger, more impactful things that come from it, but generally, the internet is all about the lulz. Anyone who deludes themselves that it is in reality really really important should be mocked mercilessly.
Just my two drachma….
Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY
X
Flame, DuQU, STUXNET, and now GAUSS:
Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.
Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…
I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.
Malware Wars:
Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.
And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.
Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.
An Interesting Week of News About Lebanon and Bankers:
Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.
Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.
All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.
Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:
Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?
Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.
Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.
The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:
Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.
We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.
So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.
In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.
We Have Many Tigers by The Tail and I Expect Blowback:
Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?
The cyber-genie is out of the cyber-bottle.
Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.
I have mentioned the other events above, but here are some links to stories for you to read up on it…
- PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
- Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
- Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)
All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.
It’s a delicate balance.. #shutupeugene
Pandora’s Box Has Been Opened:
In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.
It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.
The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.
Will we eventually have to have another treaty ban on malware of this kind?
Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?
K.
OpCARTEL: Kids, Trust Me… YOU ARE NOT Up To This Operation
Killing Pablo:
Ok kids, before you were old enough to understand, there was a guy named Pablo Escobar. He was a bad guy who pretty much single handedly provided the US with cocaine that powered the 80’s debauchery. Pablo was the progenitor of the Zeta model of narco-trafficking that you guys are claiming to have data on and want to tangle with. Let me tell you now in no uncertain terms how I feel about #OpCartel…
YOU ARE NOT READY
Plain and simple, these guys are not just some namby pamby government following laws who will try to arrest you. No, these guys will hire blackhats of their own, find you, and KILL you in the most horrific ways. Need I remind you of the bloggers who got whacked recently? I don’t think you all want to be the next to be swinging under an overpass with a Mexican Necktie do you?
It took major government and military operations to kill Pablo and his cartel. You guys dropping information on the low end mules and lackeys will do nothing but interrupt operations currently ongoing as well as put yourselves into the cross-hairs of the Zeta killing machine. At the very least, you need to do your homework on these guys and NOT announce things on the internet before you do anything, this is just asking for a whacking.
Have you not been listening?
INTELOPS:
First off, if you want to gather intel on these guys or you have it, then make sure you vet it out and insure its the real deal. If you have sources, you need to protect them and if you have hacked access, you need to insure that you can’t be traced back. The big thing though, is to KNOW YOUR TARGET! How much do you really know about the Zetas? How much do you know about the politics of the area? The players both inside and outside the cartel? This group just doesn’t have low level people, they also have high ranking political connections as well. You mess with them, then you have governmental assets and pressure as well to deal with.
So.. What do you know about Los Zetas?
Los Zetas:
Los Zetas and La Familia Michoacana are a narco ring comprised of about 30 ex Mexican Special Forces deserters who decided that narco trafficking was a much better choice than just being ordinary special operators. This group has been one of the bloodiest and boldest in their massacres of opposing groups or individuals. In short, they are not people to tangle with unless you are a government with a special operations group of your own. Much of their infrastructure is already known (see pdf file at the top here) so, dropping some of the data you propose might just serve to get others killed and not damage the organization much at all.
Though, if you did have tasty information, perhaps you could pass it along to the authorities? If not, then maybe Mata Zetas?
Mata Zeta:
Los Matas Zetas is another paramilitary group (Zeta Killers) that has sprung up recently and in fact could be governmentally sponsored. Either way, this group is out to whack the Zetas. Now, were you in posession of data that could be used by them to combat the Zeta’s maybe you could find a conduit to get that to them… Secretly. I am pretty sure though, that these guys, if not sponsored by the government (Mexico and the US) would then just become the next narco trafficking group in line to stop the power vacuum once the Zeta’s have been taken out of the equation.
The basic idea though is this: Use the enemy of your enemy as your friend to destroy your enemy. Get it?
OPSEC:
Ok, so, here we are and you guys have laid claim to the idea of the operation. Then, once people started threatening, you dropped it. Then others like Sabu said it was all a PSYOP and there are things going on in the background still.
Oy vey…
Look, overall you have to follow OPSEC on any operation like this and so far you have been a big FAIL on that account. It’s akin to saying to your enemy;
“I’m attacking at dawn.. From the East… With planes.. Vintage WWI planes…”
What were you thinking?
Obviously you weren’t thinking about OPSEC. You have seen me write about this in the past and you surely have heard Jester talk about it too. It is a key precept to special warfare and you guys just are not ready for prime time here. Unless you follow some basic security measures you will end up dead. So pay attention.. If there was any merit to this operation in the first place.
This Isn’t An Episode of Miami Vice:
Finally, I would like to say that this is not an episode of Miami Vice kids. YOU do not have a nickel plate .45, slip on shoes, and pastel shirts. This is reality and you are more than likely to run up against blackhats who will find you and one by one, these guys will hunt you down.
I know.. You’re an idea… No one can stop an idea…
I’m sorry, but your Idea will also not stop bullets and bad men with knives from cutting you to ribbons when they locate you. Unless you learn some tradecraft, go back to taking on corrupt corporations and paedophiles…
Though.. They too could also hire a hacker huh?
You guys are not ready for this…
K.
Not So 3R337 Kidz
Once again we find ourselves following the story of a new uber dump of data on a Friday (Fuck FBI Friday’s) as they have been dubbed by the skiddies. It seems that 4cid 8urn, C3r3al Kill3r, and Zer0C00l once again have failed to deliver the goods in their #antisec campaign with their ManTech dump. ManTech, for those who don’t know, is a company that handles defense and government security contracts for such things as secure networks etc. The skiddies decided to try and haxx0r the Gibson and get the goods on the bad bad men at ManTech.
Once again, they failed.
The files are mostly UNCLASS (kids, that means UN-CLASSIFIED mmkay?) with a few SBU (Sensitive but UNCLASSIFIED) as well. Many of the files are just documents of finances, bills, resume’s and email addresses that frankly you could get with a good Googling session. Again, we are not impressed by this crap Lulz skiddies. I have told you once, and now I till tell you again, you are failing to deliver anything of interest really.
Now, if you were real APT, then you would have used the data in the excel sheets to create some nice phishing exploits and then gone on to root some good shit. But no, you aren’t that advanced are you? You just want to do the quick hit and dump your ‘booty’ to collect the love from your adoring, albeit stupid, fans. I am sure some of them are at home now wanking off to the idea that you have really stuck it to ManTech and by proxy ‘the man’
Well, you haven’t.. Not so 3r337 as Raz0r and Bl4d3 say.
What you keep failing to understand are sever key things here:
- The good shit is in more protected systems, ya know, like the ones Manning had access to
- You have no idea what you are taking or what you are dumping! Bitch please, understand the classification markings!
- It’s only important to your ‘movement’ if the data actually uncovers bad behavior on the part of the government!
And it’s on that last point I want to harp a little more on. You guys say you are exposing fraud and devious behavior (other than your own subversive tendencies?) and yet, you keep missing the mark. There have been no cohesive plots outed by you other than Aaron and HB Gary’s little foray into creating 0day and programs for propaganda tools online.
Yay you!… ehhh… not so much.
You certainly did spank Aaron though, and for that my top hat and monocle are off to you. He rather deserved what he got for being so God damned stupid. However, you must all understand that these are the standard operating procedures in warfare (PSYOPS, INFOWAR, PROPAGANDA) every nation plays the game and its just the way of life. So, unless you get some real data of a plan to use this type of tech by the US on the US, (other than Rupert & Co.) Once again, I am not really so impressed.
Of course, you have to know that you are now the target of all of those tools right? Not only by the US, but other nations as I have mentioned before. Do you really think that you have not opened the door for other nation states to attack using your name? No one mentioned yet that you are now considered domestic terrorists and could even be considered non domestic after you get caught? You have opened Pandora’s box and all the bad shit is coming.. And much of it is going to be aimed straight at you.
The ironic thing is this.. You have delivered shit. It’s the idea and the cover you have given other nation states or individuals that is key here. You say you can’t arrest an idea… I say certainly not! BUT They can arrest YOU and then make that IDEA not so appealing to the other skiddies once your prosecutions begin on national TV.
So keep it up.. That hornets nest won’t spew hundreds of angry wasps…
Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating
Night Dragon Chinese hackers go after energy firms
Latest revelations from McAfee highlight large scale covert attacks emanating from the region
Phil Muncaster, V3.co.uk 10 Feb 2011Just over a year after the Operation Aurora Chinese hacking revelations shook the world, security vendor McAfee has uncovered another large-scale, covert and targeted attack likely to have originated in the region, dubbed Night Dragon.
Dating possibly as far back as four years ago, Night Dragon attacks are aimed specifically at global oil, energy and petrochemical companies with the aim of harvesting intelligence on new opportunities and sensitive operational data which would give a competitive advantage to another party.
The attacks use methodical but far from sophisticated hacking techniques, according to McAfee’s European director of security strategy, Greg Day.
First the hackers compromise extranet web servers using a common SQL injection attack, allowing remote command execution.
Commonly available hacking tools are then uploaded to the compromised web servers, allowing access to the intranet and therefore sensitive desktop and internal servers.
Password cracking tools then allow the hackers to access further desktops and servers, while disabling Internet Explorer proxy settings allows direct communication from infected machines to the internet, said McAfee.
The hackers then use the specific Remote Access Trojan or Remote Administration Tool (RAT) program to browse through email archives and other sensitive documents on various desktops, specifically targeting executives.
Night Dragon hackers also tried spear phishing techniques on mobile worker laptops and compromising corporate VPN accounts in order to get past the corporate firewall and conduct reconnaissance of specific computers.
Although there is no clear evidence that the attacks were carried out by the state, individuals or corporations, there are clear links to China, said McAfee.
For example, it was from several locations in China that individuals ” leveraged command-and-control servers on purchased hosted services in the US and compromised servers in the Netherlands”, said the security vendor in a white paper entitled Global Energy Cyberattacks: Night Dragon (PDF).
In addition, many of the tools used in the attacks, such as WebShell and ASPXSpy, are commonplace on Chinese hacker sites, while the RAT malware was found to communicate to its operator only during the nine to five working hours of Chinese local time.
McAfee said that researchers had seen evidence of Night Dragon attacks going back at least two years.
“Why is it only now coming to light? Well, the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility,” Day explained.
“Only really in the last few weeks have we been able to get enough intelligence together to join the dots up, so our goal now is to make the public aware.”
Day advised any company which suspects it may have been targeted to go back and look through anti-virus and network traffic logs to see whether systems have been compromised.
Low level day-to-day problems can often be tell-tale signs of a larger, more concerted attack, he added.
William Beer, a director in PricewaterhouseCooper’s OneSecurity practice argued that the revelations show that traditional defences just don’t work.
“The cost to oil, gas and petrochemical companies of this size could be huge, but important lessons can be learned to fend off further attacks,” he added.
“More investment and focus, as well as support and awareness of the security function, is required from business leaders. Across companies of any size and industry, investment in security measures pays for itself many times over.”
Lately there has been a bit of a hullabaloo about Night Dragon. Frankly, coming from where I do having been in the defense contracting sector, this is nothing new at all. In fact, this is just a logical progression in the “Thousand Grains of Sand” approach that the Chinese have regarding espionage, including the industrial variety. They are patient and they are persistent which makes their operations all the more successful against us.
The article above also has a pdf file from Mcaffee that is a watered down explanation of the modus operandi as well as unfortunately, comes off as a sales document for their AV products. Aside from this, the article and pdf make a few interesting points that are not really expanded upon.
1) The attacks are using the hacked systems/networks own admin access means to exfiltrate the data and escalate access into the core network. This has effectively bypassed the AV and other means of detection that might put a stop to a hack via malware.
2) The data that the Chinese have exfiltrated was not elaborated on. Much of the data concerns future gas/oil discovery. This gives the Chinese a leg up on how to manipulate the markets as well as get their own foot in the door in places where new sources of energy are being mined for.
All in all, a pretty standard operation for the Chinese. The use of the low tek hacking to evade the tripwire of AV is rather clever, but then again many of us in the industry really don’t feel that AV is worth the coding cycles put into it. Nothing too special here really. Mostly though, this gives more insight into a couple of things;
1) The APT wasn’t just a Google thing
2) Energy is a top of the list thing, and given the state of affairs today with the Middle East and the domino effect going on with regime change, we should pay more attention.
Now, let me give you a hint at who is next… Can you say wheat? Yep, take a look at this last year’s wheat issues.. Wouldn’t be surprised if some of the larger combines didn’t have the same discoveries of malware and exfiltration going on.
K
HB Gary: Hubris, Bad Science, Poor Operational Methodology, and The HIVE MIND
Algorithms, Social Networks, and COMINT:
When I had heard that HB Gary had been popped and their spool file was on PB I thought that it was unfortunate for them as a fairly well known company. Once the stories started coming out though with the emails being published online, I began to re-think it all. It seems that Aaron Barr really fucked the pooch on this whole thing. He primarily did so due to his own hubris, and for this I cannot fault Anonymous for their actions (within reason) in breaking HB Gary and Barr’s digital spine.
It seems that Barr was labouring not only a flawed theory on tracking social networks, but also in that he planned on selling such a theory and application to the government. One notion was bad, and the other was worse. First off though, lets cover the science shall we? Barr wanted to track users on social networks and show connections that would lead to further data on the users. The extension that he was trying to make was obtaining actual real names, locations and affiliations from disparate sources (i.e. Facebook, Twitter, Myspace, IRC, etc) While this type of data gathering has been done in the past, it has not usually been culled from multiple sources automatically electronically and then strung together to form a coherent pattern. In short, Barr was wanting to create software/scripts to just scrape content, and then try to connect the dots based on statistics to tie people to an entity like Anonymous. The problem, and what Barr seemed to not comprehend, is that the Internet is a stochastic system, and as such it is impossible to do what he wanted with any kind of accuracy. At least in the way he wanted to do it, you see, it takes some investigation skills to make the connections that a scripted process cannot.
This can be seen directly from the article snippet below where the programmer calls Barr on his flawed logic in what he was doing and wanted to do.
From “How one man tracked down Anonymous and paid a heavy price”
“Danger, Will Robinson!”
Throughout Barr’s research, though, the coder he worked with worried about the relevance of what was being revealed. Barr talked up the superiority of his “analysis” work, but doubts remained. An email exchange between the two on January 19 is instructive:
Barr: [I want to] check a persons friends list against the people that have liked or joined a particular group.
Coder: No it won’t. It will tell you how mindless their friends are at clicking stupid shit that comes up on a friends page. especially when they first join facebook.
Barr: What? Yes it will. I am running throug analysis on the anonymous group right now and it definately would.
Coder: You keep assuming you’re right, and basing that assumption off of guilt by association.
Barr: Noooo….its about probabilty based on frequency…c’mon ur way smarter at math than me.
Coder: Right, which is why i know your numbers are too small to draw the conclusion but you don’t want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.
Barr: [redacted]
Coder: [some information redacted] Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types.
Barr: [some information redacted] On the gut feeling thing…dude I don’t just go by gut feeling…I spend hours doing analysis and come to conclusions that I know can be automated…so put the taco down and get to work!
Coder: I’m not doubting that you’re doing analysis. I’m doubting that statistically that analysis has any mathematical weight to back it. I put it at less than .1% chance that it’s right. You’re still working off of the idea that the data is accurate. mmmm…..taco!
Aaron, I have news for you, the coder was right! Let the man eat his taco in peace! For God’s sake you were hanging your hat completely on scrape data from disparate social networks to tie people together within a deliberately anonymous body of individuals! Of course one could say that this is not an impossible feat, but, one would also say that it would take much more than just gathering statistical data of logins and postings, it would take some contextual investigation too. This was something Barr was not carrying out.
I actually know something about this type of activity as you all may know. I do perform scraping, but, without real context to understand the data (i.e. understanding the users, their goals, their MO, etc) then you really have no basis to predict what they are going to do or really their true affiliations. In the case of jihadi’s they often are congregating on php boards, so you can easily gather their patterns of friendship or communications just by the postings alone. Now, trying to tie these together with posts on other boards, unless the users use the same nick or email address, is nearly impossible.
Just how Aaron Barr was proposing to do this and get real usable data is beyond comprehension. It was thus that the data he did produce, and then leak to the press enraged Anonymous, who then hacked HB Gary and leaked the data in full claiming that none of the data was correct. Either way, Aaron got his clock cleaned not only from the hack (which now claims to have been partially a social engineering attack on the company) but also from the perspective of his faulty methodologies to harvest this data being published to the world by Anonymous.
OSINT, Counter-Intelligence, and Social Engineering:
The real ways to gather the intelligence on people like Anonymous’ core group is to infiltrate them. Aaron tried this at first, but failed to actually be convincing at it. The Anon’s caught on quickly to him and outed him with relish, they in fact used this as an advantage, spurring on their own efforts to engineer the hack on HB Gary. Without the right kind of mindset or training, one cannot easily insert themselves in a group like this and successfully pull of the role of mole or double agent.
In the case of Anonymous though, it is not impossible to pull this off. It would take time and patience. Patience it seems that Aaron Barr lacked as much as he did on scientific and mathematical method where this whole expedition was concerned. Where his method could have been successful would have only come from the insertion of an agent provocateur into the core group to gather intel and report back those connections. Without that, the process which Aaron was trying would have yielded some data, but to sift through it all with interviews by the FBI and other agencies would have become ponderous and useless in the end.
It is my belief that there is a core group of Anon’s as I have said before. Simply from a C&C structure, there has to be an operational core in order for there to be cohesion. This can be seen in any hive structure like bees, there are drones, and there is a queen. A simple infrastructure that works efficiently, and in the case of anon, I believe it is much the same. So, were one looking to infiltrate this core, they would have a bit of a time doing so, but, it could be done. Take out the core, and you take out the operational ability of the unit as a whole to be completely effective. To do this though, one should be able to understand and apply the precepts of counter intelligence warfare, something Barr failed to grasp.
In the end.. It bit him pretty hard in the ass because he was in a hurry to go to press and to sell the ideas to the military industrial complex. Funny though, the real boys and girls of the spook world would have likely told him the same thing I am saying here… No sale.
Oh well… Arron Icarus Barr flew too close to the anonymous sun on wings made from faulty mathematical designs and burned up on re-entry.
K.
Служба Внешней Разведки: Russian Espionage “The Illegals 1990-2010”
Служба Внешней Разведки
“Christ, I miss the Cold War”
M from Casino Royale
The dramatic events unfolding within the last day or so over the “illegals” program caught by the FBI is really the stuff of Le Carre and other writers of espionage fiction. Yet, this is all real….
The reports started coming out yesterday afternoon and having seen a blurb on CNN I went out and got a hold of the complaint by the Federal government against the 10 conspirators and had a sit down. In the end I found myself alternately laughing at the story that unfolded as well as waxing historical about yesteryear during the cold war days. It seems though that one thing has changed a bit since the old days.
Millennial Spies?
It seems the SVR had to remind their operatives that they were in fact here for a reason and being taken care of for that reason, i.e. being spies.
This communique pretty much alludes to the fact that perhaps the “illegals” had been here too long and had begun feeling entitled as opposed to being servants of the state. This is a bit of a difference from the old cold war days. Yes, of course some deep cover operatives might have become “comfortable” in the west, but, they pretty much lived under the fear of reprisals to themselves and family in the old country if they misbehaved. This message and some of the handling that can be seen from the surveillance bespeaks a more millennial attitude by these illegals than old school Sov operatives. in one case an officer remarks that he is glad not to be one of the illegals handler as he is bitching about money… Kinda comical…
It also seems to me that some of these operatives were in fact quite young when they started and even as things progressed, were not as well trained as they could have been. In one case there is a remark of only about 2 weeks of training at the SVR center, and this is not quite like the old days when the spooks got some serious training before going out in the field. Of course today, post the 1990’s break up of the Soviet Union, I suspect that in some of the minds at “C” we (FBI) have become lax at detection and operations just because we were very Sov oriented back in the cold war period.
However, this group of illegals seems to have been in play since the late 90’s and over time, have become more American than true blood Russian idealogs. With the amounts of money being passed to them over the years, these folks were rather well taken care of. This is something a bit different from the old days and bespeaks a paradigm shift in the SVR’s handling of them and approaches to getting good INTEL out of them. These folks were monetarily motivated which is usually how spies get brought in from other nation states, not the ones being sent to foreign posts by the motherland.
Times are a changing though… Guess you have to roll with it or lose assets.
Technology and OPSEC
The times have changed and with them the technologies of spy-craft do too. In the case of the illegals not only did they engage “AD HOC” wireless networks between laptops in open spaces (ballsy really given the nature of WIFI 802.11 standards and vulnerabilities) but also with the addition of things like the use of “Steganography
For some time now I have been randomly hoovering sites looking for stegged images and so far, I have come up with potential hits (Jihadist sites) but as yet, I haven’t been able to decrypt anything that is alleged to be hidden. In the case of the illegals, they had special software installed on laptops given to them by Moscow Centre. It turns out that these laptops and the schemes that they were using didn’t always work for the agents but, in many cases, had it not been for the surveillance by the FBI, this particular method of data passing might not have been seen.
Overall, the technology today is neat but as in the case of the AD HOC networking over WIFI, I have to wonder about their choice here. I mean it wasn’t all that long ago that the CIA had a fiasco wth a “WIFI” enabled faux rock in a park in Moscow. The rock was supposed to be able to transfer data onto a CF type card from a PDA or phone that the asset would pass by. As the technology failed, the KGB noticed that there were people wandering around looking to connect to this rock. When they did a search they got the rock and later the asset trying to connect to the faulty device. So much for the technological approach.
When it works it works great.. When it fails, you end up in Lubyanka…
Tradecraft: Tried and True
Meanwhile, some of the illegals seem to have perfected the tradecraft side of the work by performing brush passes with operatives from the Russian consulate as well as infiltrate and exfiltrate out of other countries using bogus passports etc. It seems that perhaps though, that the FBI caught on to the group however and exploited poor tradecraft practices to catch onto the whole of the operation. In one case the handler from the consulate took 3 hours of evasion practices to elude any possible surveillance only to be compromised by the fact that the “illegal” already was under surveillance… OOPS.
The meetings that are mentioned in the complaint though show how much tradecraft the group was using to perform their meetings. These included marking, dead drops, and of course the brush passes with pass phrases like “Didn’t I meet you in Bangkok in 1990?” So those of you who think that its just cliche, its not really… Even in todays technological world these practices are kept up BECAUSE the technology is so easily watched from remote ala the NSA. Of course it was that technological FAIL along with the poor practices of basic information security that caught them in the end.
Kinda funny really.. I mean how often do I moan and wail about all of this huh and here it is that very thing that pops a group of spies for Russia.
Funny…
Meanwhile some of the “old school” techniques still pervade…
Numbers Stations and Rapid Burst Transmissions Making a Comeback
When some of the houses/apartments were black bagged, the operatives found that the illegals were not only using “rapid burst” radio technology, but also the old old school technique of “Numbers Stations” to get their orders as well as report their data to Moscow Centre. I imagine that in the case of the rapid burst technology, they were in close proximity of either other operatives that they did not know about, or they were in fact close enough to the consulates that they could burst their data to their arrays on the roof.
This stuff is really old school and I have mentioned before that the number of “numbers” stations has increased over time since the internet age took over because this technology, properly implemented, is sure fire and hard to detect. After all, how many of us have short wave radios in their homes huh? The burst technology though is a little more circumspect and can be detected, but since it has not been in vogue for some time, I doubt many agencies are looking for it. Perhaps a HAM radio operator in the area might have picked up on it but it was the surveillance team that mentions “noise” that seems to be radio transmissions.
It just goes to show that sometimes the new tech just doesn’t cut it. You need to go old school.
Espionage 2010, Pooty Poot, The Bear Never Left
In the end, I expect to be hearing more about this story in the news. There will likely be the expuslions of diplomats from the Russian consulates in the US as well as the ongoing coverage of the trials. What I am wondering about though is that the FBI charged these guys with smaller charges rather than official “espionage”
This makes me think that there is much more to this tale behind the scenes that we will eventually get in dribs and drabs. I personally think that the illegals that we caught really made a dent in the security of the nation. The complaint does not mention any high level connections that would be bad enough to consider this operation as a whole to be damaging. However, if the group is in fact bigger or as we know, there are others out there, just who have they compromised? Remember that in the complaint you can see Moscow Center asking about compromisable assets. What they really wanted was to go old school and get the dirt on someone juicy and turn them… and given Washington’s habit of nasty behavior with pages or toe tapping in airport mens rooms, I can see they had a rich target environment.
All of this also makes it so ironic that the operation had been ongoing since at least the Clinton administration. When “W” looked into the soul of Pooty Poot, he wasn’t in fact seeing anything there. George, he was PWN-ing you as you gave him the reach around.. and liked it. The Bear never left my friends and anyone who thought we were all friends with rainbows and puppies where Russia was concerned is seriously deluded.
The only thing that has changed is that the American conciousness became… Unconcious to conspicuous wealth and reality TV.
I too pine for the cold war…Looks like its back on.
So in conclusion here are some questions that I have:
- Why was this operation rolled up now?
- How did the FBI catch on to these illegals?
- Who is “FARMER”
- Who is “PARROT”
- Why the charges of not telling the AG that the illegals were.. well illegal and not actually charged with “espionage”
- Why did “C” want the operatives to buy ASUS EEE PC’s?
- What steg program did they have?
- When will we be expelling the 3 consulate “secretaries” in NYC?
You can read the “almost full” complaint here
CoB
Krypt3ia 