Archive for the ‘Uncategorized’ Category
Threat intelligence report on the various North Korean advanced persistent threat groups, who we know from open source intelligence they are composed of, and what activities they have carried out over the last five years.
This article is part of an ongoing experiment with the use of ChatGPT for developing primers on cyber security topics.
Threat Intelligence Report: North Korean Advanced Persistent Threat Groups
Executive Summary: North Korea is known for its active state-sponsored hacking groups that carry out cyber espionage and disruptive activities to further their strategic objectives. These Advanced Persistent Threat (APT) groups are known for their sophisticated tactics, techniques, and procedures (TTPs) to infiltrate targeted networks and steal data. This report provides an overview of the various North Korean APT groups, their composition, and the activities they have carried out over the last five years.
Background: North Korea’s regime has long recognized the importance of cyber warfare as a means of advancing its strategic interests. The country has been accused of orchestrating several high-profile cyber attacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack.
North Korean APT Groups: North Korea has a number of active APT groups that conduct cyber espionage and disruptive activities. The following are some of the most notable groups:
- Lazarus Group: Lazarus is one of the most well-known North Korean APT groups and has been active since 2009. The group is believed to operate under the Reconnaissance General Bureau, North Korea’s primary intelligence agency. Lazarus Group has been linked to several high-profile cyber attacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack.
- APT37: Also known as Reaper, APT37 is believed to be a sub-group of Lazarus Group. The group is known for its sophisticated malware and phishing campaigns and has targeted a range of sectors, including government, military, and the media.
- APT38: APT38 is a North Korean hacking group that is believed to be responsible for cyber attacks on financial institutions around the world. The group is known for its advanced capabilities, including the ability to bypass two-factor authentication and other security measures.
- Kimsuky: Kimsuky is a North Korean APT group that is believed to operate under the country’s military intelligence agency. The group is known for its spear-phishing campaigns targeting South Korean government agencies and the country’s military.
Activities over the last five years: Over the last five years, North Korean APT groups have been involved in a range of cyber attacks, including:
- The 2014 Sony Pictures hack: Lazarus Group was linked to the attack, which resulted in the theft and release of sensitive data and caused significant damage to Sony Pictures’ reputation.
- The 2016 Bangladesh Bank heist: APT38 was linked to the attack, which resulted in the theft of $81 million from the Bangladesh Bank’s account at the Federal Reserve Bank of New York.
- The 2017 WannaCry ransomware attack: Lazarus Group was linked to the attack, which affected over 200,000 computers in 150 countries and caused widespread disruption.
- The 2018 Pyeongchang Winter Olympics cyber attack: Kimsuky was linked to the attack, which targeted the email accounts of South Korean officials and organizations involved in the event.
Exposed Assets within DPRK Cyber Operations
North Korean state-sponsored hacking groups, also known as Advanced Persistent Threat (APT) groups, have been widely identified and studied by cybersecurity researchers over the years. These groups are believed to be operated by the North Korean government and are known for their sophisticated cyber espionage and cyber attack capabilities.
Here are some of the known names of operators within North Korean APT groups:
- Lazarus Group: The Lazarus Group is perhaps the most well-known North Korean APT group, and has been active since at least 2009. It is believed to be responsible for a wide range of cyber attacks, including the infamous Sony Pictures hack in 2014 and the WannaCry ransomware attack in 2017. Some of the known Lazarus Group operators include Park Jin Hyok, who was indicted by the US Department of Justice in 2018 for his involvement in the Sony Pictures hack, and Kim Il, who is believed to be a key member of the group’s cyber espionage operations.
- APT37: Also known as Reaper or Group123, APT37 is another North Korean APT group that has been active since at least 2012. It is known for its wide range of cyber attack capabilities, including espionage, data theft, and destructive attacks. Some of the known APT37 operators include Kim Hyon Woo and Jon Chang Hyok.
- APT38: APT38 is believed to be a sub-group of the Lazarus Group, focused specifically on financial gain through cyber attacks. It is known for its involvement in a number of high-profile attacks against banks and financial institutions, including the theft of $81 million from the Bangladesh Bank in 2016. Some of the known APT38 operators include Park Jin Hyok and Kim Su Jin.
- APT27: Also known as Emissary Panda, APT27 is believed to be a Chinese-speaking North Korean APT group that has been active since at least 2010. It is known for its cyber espionage and data theft capabilities, and has been linked to attacks against government agencies, defense contractors, and other high-value targets. Some of the known APT27 operators include Zhang Xiao and Zhu Qiang.
- APT10: APT10, also known as Stone Panda, is another Chinese-speaking APT group that is believed to have close ties to North Korea. It is known for its cyber espionage and data theft capabilities, and has been linked to attacks against government agencies, defense contractors, and other high-value targets. Some of the known APT10 operators include Zhang Zhang-Gui and Tan Daijing.
It is important to note that these are just some of the known names of operators within North Korean APT groups, and that these groups are constantly evolving and changing their tactics and techniques. Cybersecurity researchers and law enforcement agencies around the world continue to monitor these groups closely in order to better understand their capabilities and prevent their attacks.
TTP’s and IOC’s,and Campaigns by DPRK OPS
North Korean Advanced Persistent Threat (APT) groups have been actively engaged in cyber espionage and cyber attack campaigns for many years. These groups are known for their sophisticated Tactics, Techniques, and Procedures (TTPs), which they use to compromise networks, steal data, and conduct other malicious activities. In this report, we will discuss some of the key TTPs, Indicators of Compromise (IOCs), and campaigns associated with North Korean APT groups.
Tactics, Techniques, and Procedures (TTPs):
- Social Engineering: North Korean APT groups often use social engineering tactics to trick users into installing malware or providing sensitive information. This includes spear-phishing emails and fake social media profiles.
- Malware: North Korean APT groups develop and use a wide range of malware, including Remote Access Trojans (RATs), Keyloggers, and data exfiltration tools. They often customize their malware for specific targets to avoid detection.
- Exploits: North Korean APT groups actively search for vulnerabilities in software and operating systems that they can exploit to gain access to target networks. They have been known to use exploits for zero-day vulnerabilities to remain undetected.
- Encryption: North Korean APT groups often use encryption to protect their malware and data exfiltration activities. They may also use steganography to hide malware within benign-looking files.
Indicators of Compromise (IOCs):
- IP addresses: North Korean APT groups often use IP addresses associated with their attacks. Some of the well-known IP addresses used by these groups include 175.45.176.0/22 and 210.52.109.0/24.
- Domains: North Korean APT groups often register domains that are similar to legitimate websites in order to trick users. Some of the known domains used by these groups include dc56wd4z2f4q3vix.onion and gosmail[.]co.
- Malware signatures: Researchers have identified a range of malware signatures associated with North Korean APT groups. Some of the well-known malware signatures include “Freenki” and “SiliVaccine.”
- Command and Control (C2) infrastructure: North Korean APT groups often use unique C2 infrastructure to communicate with their malware. This includes custom protocols and communication channels.
Campaigns:
- Operation AppleJeus: This campaign was carried out by the Lazarus Group and involved the creation of a fake cryptocurrency trading application called Celas Trade Pro. The malware used in this campaign was designed to steal cryptocurrency from users of the fake application.
- Operation GhostSecret: This campaign involved the use of malware designed to steal sensitive data from a wide range of industries, including healthcare, telecommunications, and finance. The malware used in this campaign was linked to the APT37 group.
- Operation Sharpshooter: This campaign was carried out by the Lazarus Group and involved the use of a new malware called “Rising Sun.” The malware was designed to steal sensitive data from military and government organizations in the US and Europe.
- Operation North Star: This campaign was carried out by the APT38 group and involved the use of malware to steal millions of dollars from financial institutions in countries including South Korea and India.
Malware Groups
North Korean Advanced Persistent Threat (APT) groups have been developing and using a wide range of malware for many years. This malware is used to conduct cyber espionage, cyber attacks, and other malicious activities. In this report, we will discuss some of the known North Korean malware and the APT groups that are associated with them.
- Destover: This malware was used in the 2014 Sony Pictures hack and was attributed to the Lazarus Group. Destover is a wiper malware that is designed to delete files and overwrite the master boot record of infected systems.
- Joanap: This malware was attributed to the Bluenoroff group and was used in a range of attacks against South Korean targets. Joanap is a Remote Access Trojan (RAT) that is capable of executing commands on infected systems, stealing data, and conducting reconnaissance activities.
- Brambul: This malware is associated with the APT38 group and is used to conduct SMB brute-force attacks. Brambul is designed to infect vulnerable Windows systems and use brute-force attacks to gain access to network shares.
- WannaCry: This ransomware attack occurred in 2017 and was attributed to the Lazarus Group. WannaCry was designed to exploit a vulnerability in the Windows operating system and encrypt files on infected systems, demanding a ransom for their release.
- Andariel: This malware is associated with the APT37 group and is designed to steal cryptocurrency. Andariel is capable of stealing credentials, executing commands, and exfiltrating data from infected systems.
- ELECTRICFISH: This malware is associated with the Hidden Cobra group and is used to create a tunnel for exfiltrating data from infected systems. ELECTRICFISH is capable of bypassing firewalls and other security measures to exfiltrate data to command and control (C2) servers.
- KEYMARBLE: This malware is associated with the Kimsuky group and is designed to steal data from infected systems. KEYMARBLE is capable of stealing passwords, executing commands, and exfiltrating data to C2 servers.
- SILENTTRINITY: This malware is associated with the APT10 group and is a modular backdoor that can be customized for specific attacks. SILENTTRINITY is capable of executing commands, stealing data, and conducting reconnaissance activities on infected systems.
Conclusion: North Korean APT groups continue to pose a significant threat to global security and stability. Their sophisticated tactics, techniques, and procedures (TTPs) make them difficult to detect and mitigate. To mitigate the risk of North Korean cyber attacks, it is essential for countries and organizations to invest in better cybersecurity measures, share threat intelligence, and adopt a proactive approach to cyber defense.
Krypt3ia generated this text with ChatGPT, OpenAI’s large-scale language-generation model. This author reviewed, edited, and revised the language to my own liking and takes ultimate responsibility for the content of this blog
The Potential For A.I. Powered Ransomware
Generated with ChatGPT at my prompt…
Ransomware attacks are a constant threat to businesses, government organizations, and individuals. The use of ransomware has become more sophisticated in recent years, with attackers using double extortion tactics, ransomware as a service, and multi-stage attacks to maximize their profits. However, the next frontier in ransomware attacks could be AI-powered ransomware.
AI technology has made significant strides in recent years, with machine learning and deep learning algorithms becoming more prevalent in various industries. While AI has the potential to revolutionize many areas, it also has the potential to be weaponized by hackers. AI-powered ransomware attacks would be more challenging to detect and could be more targeted and effective than traditional ransomware attacks. In this article, we will explore the potential for AI-powered ransomware attacks and their impact on cybersecurity.
How AI Could Be Used in Ransomware Attacks
AI technology could be used to improve various aspects of a ransomware attack. For example, AI could be used to identify vulnerabilities in a target’s network, to select the most valuable targets, and to optimize the timing of the attack. AI algorithms could also be used to develop new attack vectors that evade detection and make it more difficult to protect against ransomware attacks.
One of the most significant advantages of AI-powered ransomware attacks is that they can be highly targeted. AI algorithms can analyze a target’s network and identify specific weaknesses that can be exploited to gain access to critical systems and data. This level of targeting is difficult to achieve with traditional ransomware attacks, which typically rely on widespread distribution to maximize their impact.
AI could also be used to optimize the timing of a ransomware attack. For example, AI algorithms could analyze patterns of network activity to determine the most effective time to launch an attack. By timing the attack to coincide with periods of low activity or when critical systems are most vulnerable, the attacker could increase their chances of success.
Another potential use for AI in ransomware attacks is to develop new attack vectors that evade detection. AI algorithms could be used to analyze security measures and identify weaknesses that can be exploited to launch a successful attack. By developing new attack vectors that are not currently known to security researchers, the attacker could bypass traditional security measures and increase their chances of success.
The Impact of AI-Powered Ransomware Attacks
AI-powered ransomware attacks could have a significant impact on cybersecurity. Traditional ransomware attacks are already a significant threat, but AI-powered ransomware attacks could be more effective and difficult to detect. The targeted nature of these attacks could make them particularly damaging, as attackers could focus their efforts on critical systems and data.
The use of AI in ransomware attacks could also make it more difficult for cybersecurity professionals to protect against these attacks. Traditional security measures, such as firewalls and antivirus software, may be less effective against AI-powered ransomware attacks. AI algorithms can analyze these measures and develop new attack vectors that can bypass them.
Furthermore, the use of AI in ransomware attacks could increase the overall number of attacks. Ransomware as a service (RaaS) has already made it easier for less experienced cybercriminals to launch ransomware attacks. The use of AI could further lower the barrier to entry, making it easier for even inexperienced attackers to launch successful attacks.
Finally, AI-powered ransomware attacks could have significant economic and geopolitical implications. The cost of ransomware attacks has already been substantial, with victims paying millions of dollars to recover their data. The use of AI could make these attacks even more effective, resulting in even higher costs for victims. Moreover, the use of AI by nation-state actors could lead to a new era of cyberwarfare, with countries using AI-powered ransomware attacks to cripple the infrastructure of their enemies.
The Road To PII Hell Is Lined With Job Applications
Due to unfortunate circumstances, I found myself in the position of looking for work after twelve years in one place. As I have been applying for new positions, I have been astonished and appalled at the amount of very personal information that companies are now collecting from prospective applicants. Gone are the days of simple applications where you fill out details about your location, work history, and education. Now, companies are asking the deeper personal questions about your sex, sexuality, status as protected persons, veteran status, veteran status as a protected vet, and other data points that should have us all kinda perturbed.
This story was in my Masto feed this morning and clearly to me, is a harbinger of things to come. While people may openly proclaim their sexuality now, with pronouns and the like, not all of them I am sure, would be overly comfortable with a scenario like the one above happening to them. Now, consider it is not only the university you are attending, but also the companies that you applied for in the past as well as the one perhaps you got your job with, that have this data in some database and they get hacked and all this stuff is up for sale in the darknet as well?
If you all thought that your data was in disparate places and could not be married together easily, well, those days are over, and with the successive hacks and dumps being sold in the darknet and on forums, a savvy collector could create quiete a dossier on you with all this kind of personal information. Never mind, that the government of late, seems to be in a space where, at least in the US, certain factions have gained a foothold, and are setting up agenda’s to abuse your data as well.
Case in point, Florida…
Florida’s mini Trump wants all the Trans Data for unclear reasons, but, I think you all can get a sense of what he might be up to with his rhetoric in the past and his dark ambissions of a White House run maybe in 24. What is clear though, should be that seeking such data is likely going to lead to abuse of it either deliberately, or by being careless in caring for it and you all should be afraid. By all, I mean anyone and everyone, not just trans people, this kind of data being collected, just as I mentioned above in the applications process today, is basically a single stop shop for someone looking to know about you pretty completely in one handy data dump.
Your email address
Your phone numbers
Your address
Your work history
Your certifications and education
…and now
Your sexual preferences
Your pronouns
Your protected status
Your vet status
Your major ailments (I have even seen them asking if you have IBS etc)
Your Instagram address
Your blog addresses
Your twitter address
Your LinkedIN address
Hell, I even got asked on one of the applications (well, technically, it was an email after, separately with a form to fill out) asking about my religious affiliation as well! (This was a remote job, but the firm was in Northern Ireland)
Quite the collection of data just to get a job these days….
All of this data, being handed to every company that you apply for, specifically, online in a form that is saved on a server database somewhere, that likely will not be purged or encypted.
It all waits to be stolen.
Of course, this is just my considered opinion, just a security practitioner off the street so to speak..
Be afraid.
K.
Cartel Extortion Text & Call Campaigns
A user got an unwelcome call and set of extortion texts yesterday that I had never seen anything of it’s kind before. The above text is part of a chain, which I will upload here (beware, images of violence/death follow) to show just how shocking and scary these can be. I just want to let the rest of the community know about this vector of attack and to be ready in case they get the same thing happening to their user bases.
This user not only had texts and images of threats come through, but, the user also stated that the incident started with a phone call that they did not answer. While the actor did not attempt to leave a message or call back, they then switched over to the messaging. The cell phone number used was a legit one, but, had been passed around, as cell numbers do. Tracking it down further would take a warrant it seems, but, a bit of digging on my part gave the user a sense of relief that this was just a rando looking tor a payday, albeit, one by threatening the lives of family and friends.
In this specific case, the hook was that the actor was claiming that the target had been harassing sex workers and wasting their time? The language is poor, but this seems to be the gist. While the actor went all in, and had done OSINT on the user’s name (probably linked via phone or social media connections) they failed to really profile the user’s family enough to know who was already deceased and who was not, etc. Though, this was still enough to get a worried reaction from the user, and escalation to me to investigate.
The images then sent, were the moment of fight or flight really. I have reverse engined the images and they come from the Congo. These images are of the gangland type slayings there, and man, when you reverse search images like these, you really get a sense of just how fucked up the internet is. The analogous images out there are ALL OVER and you can access them easily. No wonder why our children are so desensitized to things huh?
After contacting the user and having them block the number, I then took a look at the net for other like campaigns, and variations have been ongoing for over a year. The worst of them seems to be when the actor has enough intel to involve the “kidnapping” scheme. In this one, they claim to have kidnapped the targets child or children, which I am sure sends the target into a higher panic.
The FBI has put out some guidance on these but, I wanted to post the gist right here for you…
To avoid becoming a victim of this extortion scheme, look for the following possible indicators:
- Calls are usually made from an outside area code.
- May involve multiple phone calls.
- Calls do not come from the kidnapped victim’s phone.
- Callers go to great lengths to keep you on the phone.
- Callers prevent you from calling or locating the “kidnapped” victim.
- Ransom money is only accepted via wire transfer service.
If you receive a phone call from someone who demands payment of a ransom for a kidnapped victim, the following should be considered:
- Stay calm.
- Try to slow the situation down.
- Avoid sharing information about you or your family during the call.
- Request to speak to the victim directly. Ask, “How do I know my loved one is ok?”
- Request the kidnapped victim call back from his/her cell phone
- Listen carefully to the voice of the kidnapped victim if they speak, and ask questions only they would know.
- If they don’t let you speak to the victim, ask them to describe the victim or describe the vehicle they drive, if applicable.
- While staying on the line with alleged kidnappers, try to call the alleged kidnap victim from another phone.
- Attempt to text or contact the victim via social media.
- Attempt to physically locate the victim.
- To buy time, repeat the caller’s request and tell them you are writing down the demand, or tell the caller you need time to get things moving.
- Don’t directly challenge or argue with the caller. Keep your voice low and steady.
The above is a reaction to a Salt Lake City incident, but, it works for all of these kinds of attacks. If you get wind of one of these, you can connect with your local FBI office to report it.
Heads on a swivel, people.
K.
The 2021 Krampus List Masacree
The Great Krampus has been sleeping for some time now, while the whole of the world burns and careens closer to its inevitable dreary end. As we close out 2021 with another variant, lockdowns beginning, and the fuckery levels not abating whatsoever, Krampus just wants to say that he is fucking tired of all this shit.
So, so, so, tired.
But alas, Krampus cannot rest because INFOSEC is just as fucked as the rest of the world and he has a job to do. So, he slogged out this here post for all you kids, so shit down by the fire kidsh, and let Uncle Krampus lay out the masacree.
Right, well, there is a lot of fuckery going on out there kids. Krampus’ jaundiced eye has noticed, and you all should be ashamed of yourselves really.
Just who, you may be asking?
You know who you are, and you should be ashamed.
The fact is, there are just too many for Krampus to actually have a list and name you all. Whether it is the Ransomware groups, phishing masters, initial access brokers, techbro’s, cyber mysoginists, cyber hate mongers, trolls, cyber wokeists for the sake of being woke, whatever that is, the mewling masses online just making a constant background static of fuckery, you all need a serious caining in my basket.
What about all the INFOSEC?
Well, you just fucking hold on there skippy, I am getting to that ok!
INFOSEC has been a up to the same old crap really, sales, sales cold calls, sales cold email spamming, and the inevitable barkers on all corners of the mediasphere trying to hawk their crappy products with promises that it will even give you added male potency. Nothing changes but the names of the companies that do so to get out of chapter 11 and start up fresh with a new name and hopes that no one will notice their previous chiacnery.
In essence kids, its the same ol’ same ol’ and will continue to be so until there is no one left after the great collapse of our society from pandemics, plagues, and climate change.
Rosey huh?
But, what about all the people trying to do good? You ask…
Not enough of them kids, not enough, and never will be. Humanity is a plague upon the world and Krampus holds out no hope that it will get better. The cybers are now out of Pandora’s box, thanks to all of the techbro’s, Cyber Utopians, and grifters looking to make a quick bitcoin on an animated gif of a fist giving the bird as an NFT.
As Krampus gazes into his snow globe (stolen from Winter Wizard played by Kennan Winn… Ok how many had to look that up after reading that?) he only see’s doom and cyber dystopia to come. He has watched as Democracy has been eroded and may be destroyed will all of you mewl about it online but fail to really do anything about it but tweet.
So, continue on kids, complain and snipe at each other over cyber stuff all you like, the world will burn around you anyway, like that “This is Fine” gif that you all seem to love so much… Hell, maybe log4rj will be that final cyber straw on the cyber camels back huh?
One can only hope….
Maybe it’s time to just pay Elon in bitcoin and get the fuck off this planet.
Krampus.
Perilous Times
Earlier today I posted a long thread, but I wanted to make a more cogent post for those of you not on Twitter. My tweet thread went something like this…
The events of January 6th, 2021, were I fear, just a prelude to an ongoing threat that will culminate in actions against not only the inauguration, but also across the country at capitols in most of the states. These actions, basically more insurgency and insurrections, will be a turning point for the United States more so than what has already taken place within the space of four years of Trump degradation to the values the Constitution upholds.
What I have been monitoring online in the open and places more dank, has been the first time since monitoring Islamic Jihad, that I have felt that we have finally reached a point where domestic terrorism was the larger threat to the nation than Islamic Jihad and all the various flavors of that there are. Specifically, since 9/11, I have never felt that internal forces could come close to wreaking the devastation that the 19 attackers did on September 11th, 2001. Now though, I am worried that the first skirmish at the Capitol of our Democracy, will not be the last, nor will it be the bloodiest.
The forces of the Alt-Right, are now, it seems, the totality of the Republican base, and within them are a melange of unstable individuals and groups:
We have the Qanon folks, who are outright paranoid delusional individuals or grifters, mostly though, they comprise of true believers with mental instability and ideations that lean toward violence when their world view is challenged.
We have the MAGAheads who also cross pollinate with the Qanon true believers as well. These are the people who are just drawn to the strongman in Trump.
We have the ProudBoys, who, well, are much more oriented toward hate and are often times bridges between Neo Nazism. The Nazis are all over the place too now in amongst the sheeple that are the MAGAheads and the Qanon’s, and they are something to really be concerned about.
What is really happening here is that as things play out, it is becoming increasingly clear in the Telegram channels for the NaziProudBoy set, is that they are planning on using the MAGAheads and the Qanon’s as cannon fodder in their own putsch for their own goals. These people have another more hate filled agenda and that is of the kind that you saw some in the crowd at the events on Capitol Hill. The kind who wear shirts like this and believe that eleven million Jews killed in the holocaust were not enough.
The net effect though, is that there are forces at work in the open at first, but now scattering to the darker parts of the internet, plotting and planning actively, another series of attacks because they have been empowered to do so by the likes of MAGA and Qanon. This canon fodder, are their diversion to carry out more focused and dangerous attacks like what was attempted at the Capitol. They failed last time, but only just, and now, if they can rally their canon fodder along with Trump, then they will have another few bites at the apple.
Also, if they succeed, even marginally, then they will be empowered further in recruiting and planning for more later on down the road. All of us should be concerned by this, just as much as you should be concerned in how many of these people of like mind, already sit within the government, military, and police forces of the United States.
As the date approaches for the next insurrection, we should all concern ourselves with idea that Washington DC and in fact many places in the United States (e.g. capitols, state buildings, federal buildings as well as corporate buildings) may become the new American Kabul or Palestine. With fighting in the streets by pseudo guerilla forces of Trump America. They will plan all their actions in private chat rooms on Gab and Telegram, or create new venues that likely will rely on services from places like Russia, where they will not deplatformed, because these sites and these forces, plotting and acting out, are a boon to Putin.
As if this all wasn’t bad enough, last night the Joint Chiefs felt moved to put out a statement memorandum admonishing sedition and re-iterating that the military is not a political body and that their directive was to protect the Constitution and the people. The fact that they had to say this in this way, is a troubling thing and we all should be concerned about just how many in the military and other forces like the police, are in fact believers in Trump and these other doctrines being put out there by Qanon, Alt-Right, Nazi’s and Proudboys.
One of the biggest concerns out there that you all should be aware of, is just how much sway someone like Flynn might have on these same people. Also, just how many connections and loyalties he may still have, as he is now the titular leader of Qanon, the public face of Q, a man in the “know” as he was in the IC proper and held a high position.
Here he is before the insurrection at the capitol, basically pointing at the stadium seats and saying “go for it, I got your back and Q has all the answers as well as Trump” This is a dangerous man, who is now free to carry out Trump’s and his own grifter agenda after being pardoned by his master. This man, who worked as an agent of Turkey, willing to rendition a US citizen to the Turks for money.
We are through the looking glass ,people.
Be afraid, because if Trump continues to be a chaotic and psychotic force, whipping these people up, we will be seeing more of this in the coming years. Unless the states that have criminal cases against him act, we will not see the last of Trump. Without him being charged and perhaps incarcerated, he will continue on this path and it seems, attempt to run for high office again.
This will not end well.
Keep your wits about you.
K.
Enemies of The People: An Information Operation
Yesterday, I saw an article on the news wire that had Krebs lawyer mention a site (enemiesofthepeople) and decided to do a little looking. Going down the rabbit hole, I used Google Domains to do some searches to see what iterations of the site were already taken and found a list of sites that I began investigating. Once I located the main site, it became clear that the creators had also taken out a bunch of sites to post the same content and and were actively putting them online even as I was digging.
The sites are registered all over the place, including non domain named sites in Russia and Germany as well as a domain in Singapore and a presence in the darknet. Many of them are behind DoS protection with CloudFlare, and all are hosting the exact same content. The content is in fact the personal details of people that these actors are seeing as “enemies of the state” including Chris Krebs, Gretchen Witmer, and others in the government (state and federal) that they deem need to be assassinated.
The site also has a host of social media outlets including a now defunct Twitter account and a VK, as well as Gab and of course, Parler. In taking a more nuanced look at all of the domain data and links, I have come to the conclusion that this is probably an information operation, but the question is, by who? The domain data is littered with Russian addresses, names, and email addresses for Yandex, but, nothing in all of this data has shown to me a slip up, instead, this is all deliberate and methodical. A means to an end to make this look like, for all intents and purposes, this is Russia’s GRU putting this out on the net to cause a stir, and to enthuse the Trump/Alt-Right base to talk to each other directly about the “”next steps” post SCOTUS denial of the case to overturn the election in favor of Trump. This also tracks with the timing of the postings of these sites as we JUST heard last night that SCOTUS denied the case in a one sentence ruling in thirty four minutes.
Details of Domains:
pcp6uxkzhavhxnwb.onion
pcp6uxkzhavhxnwb.onion.ws —> Clearnet gateway to access onion
enemiesofthenation.com
enemiesofthepeople.mx
enemiesofthepeople.ca —-> Hosted on monovm VPS/Hosting
enemiesofthepeople.us
SUB DOMAINS:
cpanel.enemiesofthepeople.us
cpcalendars.enemiesofthepeople.us
cpcontacts.enemiesofthepeople.us
enemiesofthepeople.us
mail.enemiesofthepeople.us
ns1.enemiesofthepeople.us
ns2.enemiesofthepeople.us
webdisk.enemiesofthepeople.us
webmail.enemiesofthepeople.us
http://www.enemiesofthepeople.us
donttouchthegreenbutton.us —>Ties to AZ movement and had it’s own site on WayBack
enemiesofthepeople.us
donttouchthegreenbutton.net
enemiesofthepeople.org
donttouchthegreenbutton.org
Non Domain Named Sites:
2.56.242.22 —>Russia Hosting
193.56.255.179 —> Russia Hosting
Email addresses:
info@enemiesofthepeople.us
mailto:EnemiesOfThePeople@hotmail.com
Domain contacts:voychik-7923@yandex.com
ivan0v.pi@yandex.com
onzayt@yandex.com
Kulkov Ei
viladiof@yandex.com
Social Media Links:
https://twitter.com/Pe0pleThehttps://parler.com/profile/EOTP
https://gab.com/Enemies0fTheNati0n
FULL REPORTING of Domain Data HERE
As I said above, so far, the searches I have done show no real mistakes that would lead to the real people behind the sites, and that is going to have to come from the FBI getting warrants on the US entities (the .us domains and the sub domains likely will bear fruit) and track how the domains were paid for. Much of the other data gleaned from email addresses and names listed are pretty much dead ends on a cursory evaluation of them. Which, once again, leads me to believe that someone really wants you to think that this is Russia, but their tradecraft has been too good so far to make me think that these sites are all the work of the would be Trump acolytes, who for the most part, have shown themselves to not be tacticians.
I have yet to log into the social media sites, but I did look at the VK and it is brand new with no followers I could see. Overall though, this is something I will keep an eye on to see what develops and will report what I see when I see it.
For now though, the information operation is afoot, and, from what I have seen in chatter elsewhere, this will be a moth to the flame kind of thing for the more idiotic of the Trumplings. Here’s hoping that they all get rounded up for plotting assassinations and captures like the idiots who went after Witmer a while back.
K.
Post Script:
They also just added a jpg file of an alleged “SECRET” memo that alleges that Krebs (who ostensibly wrote and signed this document) stating that there was a hack that happened on the election systems from Dominion. This is a pretty bad attempt, and because they did not even take the time to fake up a PDF file, I am gonna just say they may be getting a little more desparate…
Updates:
Since wordpress is a fucking hot mess on editing, I lost some stuff so here it is again…
The sites keep getting updated with names and bios to attack now including Chris Wray
Meanwhile, the sites have started soliciting for Bitcoin with a wallet that at last check had about 6K in it and was zeroed out recently:
I also started a Maltego mapping session on the sites and all data:
Bitcoin transactions:
The Biden October Surprise is Here
This morning I was pinged by someone after seeing a Tweet that went by on my feed from Maggie Haberman (NYT) linking a lurid New York Post story claiming the smoking gun has been found on Hunter Biden.
This story is riddled with holes and innuendo but, may have some kernels of truth. But all a good disinformation warrior needs to carry out a disinformation campaign, is that Russian formula of 80/20 disinformation to real information, so this story certainly fits that model. The story line thus far, is that some unnamed computer repair store owner received a mac laptop for repair in April of 2019.
The customer who brought in the water-damaged MacBook Pro for repair never paid for the service or retrieved it or a hard drive on which its contents were stored, according to the shop owner, who said he tried repeatedly to contact the client.
The shop owner couldn’t positively identify the customer as Hunter Biden, but said the laptop bore a sticker from the Beau Biden Foundation, named after Hunter’s late brother and former Delaware attorney general.
NY Post 10/14/2020
So, yeah, a laptop of uncertain provenance, in the hands of an anonymous computer repair guy, say’s he found incriminating data on the hard drive, and it was subsequently taken by the FBI. Of course the laptop, who brought it in, and who it belonged to are all quite unknown as the anonymous computer guy fails to give any details such as he should have, ya know, like a reciept or a write up of who it belonged to and at least the number he tried to call right?
Say, while we are at this point, would you like to buy a bridge I have for sale? Perhaps a nice piece of swamp land in Florida maybe? Going cheap!
But, I digress… Anywho, yeah, this guy only thinks that this could be Hunter Biden because there is a Beau Biden sticker for the charitable orginization that was set up after his death. Pay no never mind to the fact that this alleged computer repair guy had the WHOLE HARD DRIVE to access and he couldn’t maybe tell who it belonged to just by looking say at the documents folder?
COME ON!
So, yeah, this anonymous guy somehow see’s some nefarious emails (OH LOOK, HE’S IN THE EMAILS ON THE HARD DRIVE AND STILL DOESN’T KNOW WHO THE LAPTOP BELONGS TO?) from Vadim Pozharskyi and BOOM we have the coverup of the century! But wait, it gets better. So this guy calls the FBI and then makes a copy of the hard drive and passes that ILLEGALLY to Rudy Giuliani’s lawyer?
But before turning over the gear, the shop owner says, he made a copy of the hard drive and later gave it to former Mayor Rudy Giuliani’s lawyer, Robert Costello.
Steve Bannon, former adviser to President Trump, told The Post about the existence of the hard drive in late September and Giuliani provided The Post with a copy of it on Sunday.
New York Post 10.14.2020
Wow! That’s some epic shit right there! So, are your spidey senses tingling too? Cuz mine are just screaming here. What’s more is that all this began only on the NY Post, in an “exclusive” which means the Post is all in for Trump it seems. That aside, I also had to ask myself why Maggie Haberman was flogging this on Twitter (pssst hey NYT, what the fuck?) without as much as a howdy do on doing any leg work to rebut these allegations. Anyway, if you look further into the article though, you see some screen shots of things like the alleged email from Burisma and photo’s alleged to be of Hunter Biden (from the hard drive? It is not clear) along with a nice picture of the alleged subpoena that was served to the computer store guy that has been “redacted” according to the naming of the file.
Of course this alleged picture has a few issues. First of all, no court case number is conveniently there to look up. Of course no name of the person to be deposed, and then there is the EXIF data that they conveniently left in the photo for people like me to find…
This photo was shot on an iPhone and it has the geolocation still in it. Once you extrapolate that, you get a tavern in Delaware where the photo was snapped.
So, someone with an iPhone took a picture of an allegedly redacted grand jury subpoena in Jessop’s Tavern on January 11th 2020. And this is just popping up now, in October 2020, conveniently a couple weeks from the election of a century… Right… Oh, and there are a couple of Mac specialists with in easy drive of this tavern, so, it may be possible to guess who it may be.
So far, this story has only been getting traction on Fox and Bloomberg other than being on fire, then quickly put out by removal by Facebook. A removal mind you, that has many people in the Trump camp gnashing their teeth about, boo hoo. I would expect this story to get more traction though as I have already seen on Fox one Senator demanding more information from the now defunct Barr/Durham investigation that managed to charge no one with a crime.
Convenient eh?
Lastly, let me just say this, all of this story screams no chain of custody, and a large probability of tampering, hacking, disinformation creation and propagation by forces yet to be seen. The rest of the photos in the story on the post all lack any EXIF/Metadata, which is kinda suspicious, so there is that too. I would not put it past Russian assets and the Trump camp from being central to the creation, curating, and release of this disinfo campaign against Biden now for fullest effect.
I don’t buy it, and neither should you.
K.
Existential Angst
In the face of the daily news from all sources, the Twitter-sphere, and the rest of the internet, it seems that we all are facing numerous existential issues. In the news cycle alone lately we have more and more proofs with data that anthropogenic climate change (ok ok destruction) leaves us with an expiration date for life on the planet of 2050. Meanwhile, the Trump administration (if one calls it that and not shit show) is busily destroying Democracy and seemingly trying to move that 2050 deadline to, oh, next year. No wonder why generally the populace, and in particular the youth today (Millennials and Z’s) seem to be losing their collective minds and more often infantilizing themselves into a stupor.
Yes yes, of course the parents of those millennials also sculpted, wait, bulldozed, their psyche’s into this mess but after that, I cannot blame them looking at the world and just wanting to check the fuck out. I mean, look at all this shit today? How the fuck did we get here? No, it wasn’t just Russia either! No, we did this to ourselves and it’s only gonna get worse I fear. It will be a combination of fucked up elders and dysfunctional governments (mostly the US in this post) just spinning the cylinder on the .38 snub and hold it to our collective heads like that famous Vietnam war photo…. At least it can feel that way at times. We just have no control do we?
All of this and likely future fuckery that is to come makes me just postulate that we are in for a worse time down the line and that many of you out there will just go all YOLO and give up. I for one often think about this on a grander scale and since I am in my later years, I often just have to settle with; “well, at least I did not have any kids” because fuuuuuuck are they going to have to deal with all this shit when the bill comes due!
Which brings me to my next topic, as we move through all this and still do not do anything to really address the more existential issues that we all must deal with or die, I suspect more and more people will just resign themselves to it all and let apathy take them away. Some will be cognizant of it all and steadily lose their minds, showing many manifestations of mental maladies and perhaps take up behaviors like drugs, or other hobbies to just not deal with reality. It’s easy to get lost in the cyber now right?
Game away your pains and dull your senses with some drug or whatnot right?
Lately I have wondered and pondered at the people in this hacking/infosec community as well and why they seem so fixated on all this or that shit, lacking any broader ability to converse about things or experience things. Perhaps they already feel this, perhaps they are all spectrum…
Who knows.
Ugh, whatever… Just deal with your mortality kids.
K.
Krypt3ia 