Posted on July 23 2018
As previously discussed, in this Russia Cyber-war entry
And further discussed in yahoo hack, here.
And hacker meets hack back, here.
July 13th Indictment
They USED servers in AZ (I just talk about how RU diplomats were violating the 25-50 mi & 24 hour notice rule) transferred stolen data to another server in IL and then registered actblues to funnel donations away from DNC DCCC via act blue— SpicyFiles (@SpicyFiles) July 13, 2018
cc @joncoopertweets @AdamParkhomenko pic.twitter.com/S8mVLS85A2
There is a phenomenal amount of Forensics data in this Indictment. The amount of incredible investigative tools used might be incalculable. For the purposes of this entry I’m going to drill down on two subset of data points:
the stolen DNC analytics
On June 2, 2016 The Swedish Institute of International Affairs hosted a seminar which featured Matt Galeotti.
Russia is accused of coordinating a “hybrid war” in Ukraine and in Syria Putin has used military force outside the borders of the former Soviet Union for the first time since the end of the Cold War.
Full disclosure I don’t personally know nor have ever interacted with Matt Galeotti but as of late Ihave become a big fan of his work. There’s a sense of passion, enthusiasm and earnestness to his writings. By any other measure he’s a venerable orator and researcher. As some of you may recall in one of my many twitter threads I’ve often linked to his white papers. The reason is I find his writing style uniquely comprehensive but technical enough that even a novice myself gets what he is saying.
Not to belabor the points articulated in Galeotti’s Putin’s Hydra, it is worth a second or third read. I will admit I’ve read it four times and each time I walk away with more insight than previous readings. For example the “hydra” in Greek Metholgy:
a gigantic water-snake-like monster with nine heads (the number varies), one of which was immortal. The monster’s haunt was the marshes of Lerna, near Argos from which he periodically emerged to harry the people and livestock of Lerna. Anyone who attempted to behead the Hydra found that as soon as one head was cut off, two more heads would emerge from the fresh wound.
In Galeotti’s Putin’s Hydra he surmised the following:
🏁Russia’s intelligence agencies are engaged in an active and aggressive campaign in support of the Kremlin’s wider geopolitical agenda.
🏁As well as espionage, Moscow’s “special services” conduct active measures aimed at subverting and destabilising European governments, operations in support of Russian economic interests, and attacks on political enemies.
🏁Moscow has developed an array of overlapping and competitive security and spy services. The aim is to encourage risk-taking and multiple sources, but it also leads to turf wars and a tendency to play to Kremlin prejudices.
🏁While much useful intelligence is collected, the machinery for managing, processing, and assessing it is limited. As a result, intelligence’s capacity to influence strategy and wider policy
🏁 Europe should take a tougher approach to Russian operations, investing resources and political will in counterintelligence, and
addressing governance weaknesses that facilitate the Kremlin’s campaigns, including tougher controls on money of dubious provenance
Again I’d urge you to read Galeotti’s Putin’s Hydra, it is an excellent read and will give you a much broader understanding of Russia’s current Hybrid-war. Link to his paper found here.
I respectfully disagree with Galeotti’s on a few data points. His position is the competing forces within Russia’s own Government lead to a potential weakness. I’d argue that this may be flawed or simply another cog in Russia’s Active Measures, as in fool other Governments and subject matter experts in to thinking the Russian Government and various security sectors are at war with each other internally.
I also disagree with his assertion that Russia’s Computing/Machinary aka Infrastructure is limited. Based on the persistent and pervasive cyber-warfare coming from Russia, coupled with the sophistication of various malware, they would need advance machinary to; 1) beta test their malware 2) Processing the voluminous amounts of data Russia & their hackers have stolen. Which now brings us to X-Tunnel.
🚨SIDEBAR🚨 - you’ve heard me rattle on and on about Operation Pawn Storm.
Did it occur to you that Russia didn’t just hack the DNC, DCCC and Sec Clinton?
That Russia has a proven track record of playing both sides against the “middle”?
Or that Trump constantly beats the drum that the GOP was “never hacked”...well the FACTs show the GOP and Trump were in fact penetrated. Most of us seem to have forgotten this October 8, 2016 NBC Report:
Which detailed former Secretary of State Colin Powell’s September 2016 hack of his personal emails that DCleaks subsequently published.
Kevin Bishop, spokesman for Sen. Graham, said, “We have not disputed that Senator Graham’s campaign was hacked, that some campaign related email accounts were hacked.” He described the victims as low-level staffers. “We haven’t said anything about it and don’t expect to.” Graham was a contender for the GOP presidential nomination.
The NBC article states that:
2015, at least one Trump campaign staff member’s email account was infected with malware and then sent malicious emails to colleagues, according to the advisor, who said that and other concerns prompted the campaign to upgrade its security.
FINE imma gonna break it down, since Trump & Putin are making googly eyes at each other.— SpicyFiles (@SpicyFiles) July 16, 2018
Meet “IRON TWILIGHT"
Targets: Media, Politicians (& their family), Banks, critical infrastructure
I now refer you to pages 11 and 14 of this TrendMicro Pawn Storm Report.
XTunnel X-Tunnel, XAPS
Back in June of 2015 MicroSoft published a 166 page report. I now refer you to page 23, note that this was out in the public domain a full YEAR before the DNC, DCCC and Sec Clinton hack. I think the easiest way to describe XTunnel and its derivative iterations: the encrypted “tunnel” allowed hackers to penetrate much deeper into a target’s network and this “tunnel” allowed hackers to reach computers and/or servers that were otherwise unreachable. Because the hackers evolved and tweaked this malicious code through a process of trail and error...which resulted in the evolution of a perfectly calibrated “covert” code.
The timetable is critical to understand the: how/who/what/when/why of XTunnel. I know that I’ve often said cyberattacks are the heights of cyber-dawrwinism with each deployment hackers make advancements to their code with the intended purpose of being: faster, better and penetrate deeper. CyberSecurity is probably one of the most dynamic (ever changing and ever evolving) existential threat to America and our Allies.
The ESET report goes on to explain the following:
The Sednit group — variously also known as APT28, Fancy Bear, Sofacy, Pawn Storm, STRONTIUM... Over the past two years, this group’s activity has increased significantly, with numerous attacks against government departments and embassies all over the world.
..notable presumed targets are the American Democratic National Committee the German parliament and the French television network TV5Monde.
Moreover, the Sednit group has a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics.
One of the striking characteristics of the Sednit group is its ability to come up with brand-new 0-day
vulnerabilities regularly. In 2015, the group exploited no fewer than six 0-day vulnerabilities.
The ecosystem created is one that should be closely monitored, ESET white paper states the following:
Also, over the years the Sednit group has developed a large software ecosystem to perform
its espionage activities. The diversity of this ecosystem is quite remarkable; it includes dozens
of custom programs, with many of them being technically advanced, like the Xagent and Sedreco
modular backdoors (described in the second part of this whitepaper), or the Downdelph bootkit
and rootkit (described in the third part of this whitepaper).
The multiple stages and deployment of XTunnel made it almost impossible to detect that the victim and/or victim’s network had been targeted, covertly monitored and data stolen. Which in hindsight makes the “delay” in DNC, DCCC and Clinton Campaign to the hack an unreasonable argument. Meaning the numerous after action resports by various industry experts explain in particularity how difficult it was for these organizations to know when their “0-day” occurred. Again sure one could argue the DNC et al should have known, conversely a stronger argument can be made that the DNC et al simply did not know, but when they did know, they acted quickly. The reality is it was reactive. I’m not blaming the DNC et al. I’m simply trying to prove a factual based counter argument.
CrowdStrikes data and resources of DNC hack found here.
Sample of DNC data dump, found here.
As previously noted in the July 13th Indictment, the amount of data Forensics included is stunning. And sure there’s an argument to be made that these hackers will never be extradited to America but you are missing the broader point of this Indictment: NAME, SHAME and send a message of “we know what you did and we know how you did it”
I now refer you to page 13 of the July 13th Indictment, which reads in part:
On or around September 2016, the Conspirators also successfully gained access to DNC
computers hosted on a third-party cloud-computing service. These computers contained test
applications related to the DNC’s analytics. After conducting reconnaissance, the Conspirators
gathered data by creating backups, or “snapshots,” of the DNC’s cloud-based systems using the
cloud provider’s own technology. The Conspirators then moved the snapshots to cloud-based
accounts they had registered with the same service, thereby stealing the data from the DNC.
Let’s look at the events in September 2016 thru to the Election Day:
See Trump get cut off by a Pastor in Flint, MI September 14, 2016
September 26, Clinton v Trump debate, it was...interesting, see Washington Post Annotated Transcript found here.
This particular series of events: Joint DHS DNI warning about Elections, Trump Access Hollywood Tape, targeted Social Media Ads, Wikileaks Dump
Extortion?— SpicyFiles (@SpicyFiles) April 11, 2018
Or does this link back to WikiLeaks releasing John Podesta’s emails?
It was <29 minutes after the access Hollywood Tape. https://t.co/15QvjDD1sZ
How about Brad Parscale’s notorious 60 minutes interview?
How did Brad know which precincts in MI, WI, OH and PA to target <30 days before the 2016 election?
Like MANY of you. I’ve replayed the last 45 days of the 2016 Presidential election over and over in my head, trying to square how 100% of all polling organizations somehow “got it wrong”? And it occurred to me, they didn’t get it wrong but I know I’m not alone when the MSM started reporting a few days before Halloween 2016 that the Trump Campaign was making its final push in MI & WI.
Remember this Trick or Treat New Yorker article?
How about this Rudy Giuliani October 2016 “surprise”, found here.
Or this NBC October 2016 Article, that’s sourced to the teeth?
I don’t know the answers to my questions but what I do know is Maddow had an interesting segment late last week and oddly echoed the same questions I’ve had for the better part of the past 20 months.
My advise? Keep asking questions. Remain skeptical of Trump and his surrogates because we are beyond smoke. I think in the coming weeks, we will ALL find out what caused the Trump campaign to radically shift gears in September, October and November of 2016. And I suspect I know what they are...
While you're here, throw us a bone.
Mad Dog is thrilled to have Spicy in our PAC(k). We are proud to provide a space for her tireless, hard hitting, in-depth investigations. But we can’t do it without you.
Our numbers are growing. Our voices are being heard. Our campaigns are making a difference. Help us, and Spicy, continue to fight the good fight. Consider a donation to help support the work of Mad Dog PAC today.