My Cart

Close

GO. FIGHT. WIN.

Russia is NOT our Friend Nor is China

Donate to Mad Dog

Posted on October 06 2018

By now most of you have heard about Russia’s state sponsored hacking, aggressive cyber-war and ongoing disinformation war. Where our allies in the U.K. and Netherlands  For the purpose of this entry, it might be well served for you to re-read previous entries of Russia’s Cyber-War.

See July 2018, XAgent and Xtunnel entry, I attempted to explain in a broader context the July 13th Special Counsel Mueller’s indictment, entry found here and here. Yahoo Hack, found here. Nikulin extradition found here

 

 

 

I should reiterate I am by no means a cybercrime expert. Arguably I am a neophyte and I’m learning just like you are. Nor am I an expert on Russia or their multi-prong objectives. There are far smarter people that know way more than I do. I would never intentionally give you bad or disinformation. What I do know is, before I started working in the legal community, I was a telecommunications wonk. Like a serious wonk. Back in the day I could whiteboard the shit out of ATMs, NAPs, Nodes, P2Ps, Sonnet Rings and could out debate my male counterparts on the 7 layer TCP/IP and had considerable work within the MPLS, IPv4, IPv6, Cloud computing. In general I was the cute “sales engineer-girl” that the boys would call in to close the big deals. Because I had a knack of taking really complex matters and outputting simple terms that a CEO or COO would understand. Essentially I’m telling you that I’m a closeted geek and full on nerd.

 

UK, NL & USA vs Russia

Today’s trifecta announcement from the U.K., Netherlands and our own Justice Department sends a clear message to Russia: we know the who, why, what and when of your cybercrimes dating back to at least 2014;

 

 

The U.K. and Netherlands announcement took great care to explain the rationale, some of the methodology, sources and methods. The official U.K. and Netherlands Statement can be found here. The actual speech given during the announcement can be found here. Below are a few notable details that actually caught my attention:

...”unacceptable cyber activities of the Russian military intelligence service, the GRU. It has targeted institutions across the world, including the Organisation for Prohibition of Chemical Weapons (OPCW) in The Hague.”

The GRU's reckless operations stretch from destructive cyber activity to the use of illegal nerve agents, as we saw in Salisbury. That attack left four people fighting for their lives and one woman dead.

 

What may have been lost in the translation, is it is abundantly clear that Russia’s FSB and GRU have not restricted themselves to the Internet, but in fact traveled to the U.K., Netherlands and USA to carry out reconnaissance and execution of part of their global destabilization. Specifically at least two GRU agents traveled to Salisbury to do others fatal harm. The false pretense that Russia would never dare to commit crimes, essentially carry out multiple assassination on foreign soil can not be emphasized enough.

 

I know you have heard the term bandied about: Russia’s hybrid war.  From my limited research, I’ve come to learn what that term really means, it’s a muxing of weaponizing information, disinformation...below is a 3 minute video from the RAND Corporation, it does a decent job explaining Hybrid War.

 

The one thing that I have become increasingly frustrated about is the lack of public discussion of hardening our defenses. Meaning that in the cyber realm, the tools are constantly evolving. In the past you’ve heard me use the phrase Cyber-Darwinism. Essentially evolve or be eaten.

Case in point I was a little taken a back that the mainstream media completely overlooked the fact that Maria Butina while “posing” as a Graduate Student, she (along with a few American University Classmates) wrote the following Cyber Security White Paper. By the second paragraph my Spicy senses were full on red lights blinking. 

 

 

Granted of course I am making a huge assumption that our hardworking men and women of our Intelligence Community are unaware of this particular paper or the dozens of other papers she has authored. Nonetheless this particular paper gives me serious pause. Given what we now know about just how much Russia interfered in our 2016 Presidential Elections. Or the granularity of the data forensics cintained in the July 13, 2018 indictment?

 

 

October 4, 2018 Indictment: 

Before we dive into Today’s indictment, this Department of Justice-Office of Public Affairs (DOJ-OPA) link will take you to the landing page of today’s joint announcement and respective documentation. The exhibits, along with the deckslide from our U.K. and Netherlands partners are truly extraordinary and highly informative.

I know there were some prolific tweets stating USCERT is headquartered in Pittsburgh, PA. That’s not entirely accurate, US CERT is under the umbrella of Department of Homeland Security, USCERT is an acronym for US Computer Emergency Readiness Team. They have numerous offices throughout America but have a primary footprint self contained within DHS, which is headquartered in Northern Virginia.

Perhaps some on twitter are simply confused or they may have unintentionally mixed up, US-CERT v. SEI-CERT Software Engineering Institute (SEI-CERT) is operated by Carnegie Mellon University, 

The SEI: The Leader in Software Engineering and Cybersecurity

Software Engineering Institute has been a leader in the fields of software engineering and cybersecurity since 1984. We research and solve complex, long-term problems for the Department of Defense, government agencies, and private industry, and we are always working to transition solutions to the software and systems engineering communities throughout the world.

 

Case18-cr-00263-MRH 

The full 41 page indictment can be foumd via the DOJ-OPA link. I recommend you download and/or read it in it entirety. After re-reading this Indictment this greatly expands the timeframe then previously disclosed, as noted on page 1 paragraph 1, this cybercrime campaign started in “at least” 2014 into May 2018, that my friends is what I’d call a protracted and persistent  hacking campaign.

 

...least 2014 up to and including May 2018, the Russian Federation (Russia) operated a military intelligence agency called the Main Intelligence Directorate of the General Staff (GRU). The GRU was headquartered in Moscow, Russia, and was comprised of multiple units, including Units 26165 and 74455.

GRU conducted persistent and sophisticated criminal cyber intrusions by hacking into the computers of victims that included U.S. persons, corporate entities, international organizations and their respective employees. These victims were located around the world, including in the Western District of Pennsylvania, and were targeted by the GRU for their strategic interest to the Russian government.

 

Pages 3 & 4 off details o the sheer scope (as in global conspiracy by Russia) and identified numerous victims, again the reason this came from the WDPA. I’m confident that the WDPA was largely dictated because a “victim” Westinghouse Electric Corporation (WEC), which is a nuclear energy company is in fact headquartered in the WDPA. In 2014 WEC did a considerable amount energy business with Ukraine. The indictment also details trained GRU agents traveled the global to execute “on-site” or “close-in” cyberattacks when the remote attacks failed. The GRU agents brought “highly sophisticated hacking equipment” and utilized WiFi (such as hotel WiFi). It appears the GRU agents used real life reconnaissance to target and track their victims.

 

 

VICTIMS:

U.S. and international anti-doping agencies, sporting federations, anti-doping officials, other sports-related organizations and nearly 250 athletes from approximately 30 countries. 

U.S. Anti-Doping Agency (USADA), on September 13, 2016 they issued a statement in which the organization acknowledged that their confidential data of athletes had been hacked, Link to USADA press release found here. In December of 2016 USADA issued a second press release, after Canadian lawyer Richard McLaren, published his report. December 2016 Statement found here.

McLaren Report No1 (July 2016) can be found here.

McLaren Report No 2 (December 2016), can be found here. If reading hundreds of pages of the McLaren report isn’t on your to do list, then this short video of Richard McLaren gives you a relatively decent primer:

 

Below is the original Tweet from USADA, I encouraged you to look at the comments below the original tweet. In my opinion those comments/tweets give you a reflective (backward facing) look at what Russian Disinformation and Influence Operations actually look like. Granted we have the advantage of detached perspective but I also think it’s important to train your eye on what Russian fetid borscht-bullshit looks like. With any luck you’ll know what to look for.

 

World Anti-Doping Agency (WADA), on September 23, 2016, subsequently annoucedvto the unlawful leak of personal (medical) data of some 41 athletes from 13 countries and 17 sports. You can read WADA’s September 2016 press release here.

Canadian Centre for Ethics in Sport (CCES), a Canadian-based anti-doping
agency, headquartered in Ottawa, Canada, issued the following statement on September 19, 2016 regarding the Russian hack and stolen data, link to CCES full press release found here

is very concerned that a Russian hacker group has illegally obtained medical data from a Rio 2016 Olympic Games account of the World Anti-Doping Agency’s (WADA) Anti-Doping Administration and Management System (ADAMS). By publically sharing this data, these criminals violate the privacy of athletes around the world.

International Association of Athletics Federations (IAAF), an international
sports gaming body, headquartered in Monaco; on April 3, 2017 acknowledging that their network and athletes data had been compromised by Russia’s FancyBear. Incidentally the IAAF stated the breach occurred 5 weeks earlier. To read the full IAAF press release here.

“The presence of unauthorized remote access to the IAAF network by the attackers was noted on 21 February where meta data on athlete TUEs was collected from a file server and stored in a newly created file." 

Court of Arbitration for Sport (TAS/CAS), headquartered in Lausanne,
Switzerland;
 in some respect this particular victim seems like the what piece of the puzzle doesn’t fit. Until you actually drill down on what recent action the TAS/CAS adjudicated then it makes perfect sense. Not to sound repetitive but this was a “Global Conspiracy” and Russia is like that insane college ex-boy/girlfriend that you cant break up with because they are irrational, arrogant and slightly 50 shades of crazy. Sorry I went on a slight tangent. In February of 2018 TAS/CAS issued a final determination on numerous Russian Athletes and their appeals.

39 of the 42 cases filed by Russian athletes against the decisions taken by the Disciplinary Commission of the International Olympic Committee (IOC DC) in relation to the 2014 Sochi Olympic Winter Games.

 

Shortly after the release of the July 2016 McLaren report (linked above) the GRU hacking team executed multiple targeted campaigns to penetrate, steal employee creditials and ultimately extracted thousands of pages of medical information on numerous athletes. Pages 5 and 6 of the indictment disclosed in April of 2018 defendants Sergeyevich Morenets and Evgenii Mikhaylovich Serebriakov traveled to Rio de Janeiro, Brazil 

 GRU technical intelligence officers, including Morenets, Serebriakov, Sotnikov, and Minin, traveled to locations around the world where targets were physically located.  Using specialized equipment, and with the remote support of conspirators in Russia, including Yermakov, these close access teams hacked computer networks used by victim organizations or their personnel through Wi-Fi connections, including hotel Wi-Fi networks.  After a successful hacking operation, the close access team transferred such access to conspirators in Russia for exploitation.

Although, one particular sentence stuck out to me (see paragraph 13 on pages 5 & 6), the way I read this, “was encountered” means he was caught red-handed:

..in April 2018, MORENETS was encountered while conducting an on-site hacking operation targeting the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague, Netherlands,

 

If XAgent and Xtunnel are lost on you, a quick reminder, in the SCO Mueller July 13, 2018 Indictment. One detail that a lot overlooked was the disclosure of the Xagent alias “aka Chopstick”. And it reminded me immediately of this 2014 USAToday article, when then Attorney General Holder announcement that for the first time in our Country’s history, our Government “charged a state actor in a criminal cyber espionage case”. The USAToday story is embedded in my twitter thread from yesterday. Should you be inclined this DOJ-OPA link will take you to the 2014 Indictment 

 

 

Senior Lieutenant assigned to Unit 26165. In 2016, MALYSHEV monitored X-Agent malware (a/k/a “Chopstick”) implanted on victim networks and utilized online fictitious personas to conduct technical and online reconnaissance of victim organizations and to send spearphishing emails, all on behalf of Unit 26165....early as November 2014 and continuing through at least August 2016, YERMAKOV and his co-conspirators targeted Westinghouse Electric Corporation (WEC) and its employees, in the Western District of Pennsylvania...

 What I also found notable in the October 4, 2018 Indictment are the following passages  they read strikingly similar to the July 13th SCO Mueller’s Indictment. Specifically using WiFi, Cryptocurrency (like BitCoin), VPNs, spearfishing emails and “spoofing” of legitimate websites. The sources and methodology are incredibly similar :

 

  Spearphishing messages were composed to resemble emails from trustworthy senders, such as email providers or colleagues, and requested the recipients to click on hyperlinks in the messages. Such hyperlinks would direct recipients to spoofed websites which prompted the recipients to enter their login and password and enabled the capture of their credentials.

 

I could be off base but one thing I noticed in both of these Indictments is one of the points of failures for the DNC, DCCC and WEC are ALL three entities used:  Microsoft Exchange Server and the hackers used XAgent which sat quitely on their network for months if not almost close to a year. XAgent in simplest of terms just sits and watches. But there may be a finer point that appears to be consistently ignored, when it comes to Russia and Putin they are extremely aware and fiercely protective about what the Global Community thinks about them. Meaning Putin is willing to weaponizing information to leverage and manipulate public perception:

 

... hacking was part of an influence or disinformation operation, conspirators publicly posted and disseminated such information, including victims’ personal email communications and individual health and medical information...This was done to further a narrative favorable to the Russian government and in order to amplify its impact.

 With respect to Westinghouse Electric Corporation, the Indictment presented a few interesting data points, specifically the use of Microsoft Exchange Email Servers, 100% of all of WEC’s traffic routes from their WDPA HQ and they have a long running business relation with Ukraine.specifically proving nuclear power to Ukraine, see 2014 Press Release below. The indictment also indicated that the GRU hackers intruded into WEC network for nearly 11 months. And was largely undetected.

All of WEC’s internet traffic is routed through servers located in the Western District of Pennsylvania. The
company’s power plant designs are the basis for approximately half of the world’s currently
operating nuclear power plants. Since 2008, WEC has supplied Ukraine with increasing amounts
of nuclear fuel.

 

Interestingly enough on October 30, 2014 WEC issued the following press release announcing

 

WESTINGHOUSE TO SUPPLY ADVANCED SAFETY SYSTEM TO UKRAINE NUCLEAR POWER PLANTS”

National Nuclear Energy GeneratingCompany of Ukraine (NNEGC Energoatom) to provide a passive hydrogen control system for VVER Units 1 and 2 at the Zaporizhia Nuclear Power Plant inUkraine.

 

To say WEC and Ukraine have a strong business relationship would be a gross understatement given the NNEGC Deal represents a substantial portion of WEC’s overseas business revenue. I’ve taken the liberty of culling their most recent press releases regarding their Ukraine Announcements, you can read them here

Should you be inclined you can read more about the indictment and other materials related via the following twitter thread.  

 

 

Late yesterday Malwarebytes published an updated article about XAgent. It is this particular paragraph that literally stopped me in my tracks. Not only are victims unaware when their network is infected, most cyber security experts and researchers have concluded that XAgent is “likely” responsible for far more cyber attacks that we were unclear of. For example in 2016 

 

Researchers indicates that the purpose of this novel attack vector has been to install the XAgent Remote Access Trojan, which others in the security industry have linked to the Russian hacking group that goes by many names including: APT28, Fancy Bear, and Sednit.

 

The successful execution of the malware payload is dependent upon a computer system that has been configured to disable the Secure Boot protections that come standard on newer Windows computers.

The ESET September 2018 follow up White Paper regaring Fancy, in a word...alarming here are few datapoints from ESET, who’s arguably one of the better malware research groups;

 

several security companies, as well as the US Department of Justice  named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections . The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak [4] and many others..

It is the first malware observed to successfully compromise the UEFI firmware component of a device (which was formerly known as the BIOS), a core and critical component of a computer.

 

 You should read the ESET article. On a possitive note at least the Cyber Security sector continues to  tighten up their timeline when informing the public. The reality is Cyber Security isn’t a set it and forget it thingy-mob-bobber.  To truly secure your network and data from unauthorized intrusion, your IT department needs to be several steps ahead of the bad guys. Which is difficult when you don’t know what or where to look for any indication of an intrusion.  At any rate, over the next couple of weeks, I’m going to be extreme busy and will be intermittently dark. That’s not me ignoring you. This is me trying to set your expectations for the next few weeks. -xo Spicy

 

 

 

 

 

 

 

While you're here, throw us a bone.

Mad Dog is thrilled to have Spicy in our PAC(k). We are proud to provide a space for her tireless, hard hitting, in-depth investigations. But we can’t do it without you.

Our numbers are growing. Our voices are being heard. Our campaigns are making a difference. Help us, and Spicy, continue to fight the good fight. Consider a donation to help support the work of Mad Dog PAC today.

DONATE