There Is A Fancy Bear In The Woods…

I set myself to piece together a full account of what our glorious leader likes to call The Cyber, so here goes.  Even without the IC’s TS-SCI Ears-Only Eat Before Reading intel, the attribution is not seriously in doubt.  In fact I am not going to use any IC sources at all: I can prove to you that it was the Russians solely with open-source private-sector intel.  Onward.

The DNC breach is the most straightforward.  It was carried out by APT28 (Fancy Bear, Sofacy, GRU) and APT29 (Cozy Bear, FSB).  These groups are Russian covers.  This was known well before the DNC hacks: these groups operate out of Russian time zones, build their code in Russian-language environments, and only seem to attack targets of interest to Putin’s ‘government’.  There’s more history of these threat groups here and here.

Guccifer 2.0 claims to be a Romanian, like the original.  They’re not.  The consensus is that Gucci is six KGB politicals in an unconvincing black hacker hoodie (TW: fake Cyrillic). To start with, a chat with a reporter from Motherboard revealed that Gucci does not, in fact, speak correct Romanian, and the metadata is riddled with Russian, as spotted by PwnAllTheThings (although interestingly suggesting a wannabe hacktivist rather than GRU).  Linguistic analysis of their English suggests Russian is a more likely native language than Romanian.  Later, they sent a written statement displaying some of the same grammatical markers to a cybersecurity conference hosted in London by PSBE Futures Group.  To cement the case against Gucci’s personhood, they cleaned up their English and their metadata soon after the first interview. As to The Cyber, in the chat interview with Motherboard, Gucci claims to have broken into the DNC via an NGP VAN 0day in the summer of 2015, except that:

  1. CrowdStrike found no such thing.
  2. NGP VAN is a cloud-based service not stored locally on any DNC machines and is not a particularly efficient attack vector.
  3. Any breach would have been spotted when NGP VAN did the Dec. 2015 audit to figure out how the Sanders campaign wound up seeing the Clinton donor and voter rolls.
  4. NGP VAN is sufficiently specialized and obscure that there isn’t a commercial market for 0days.

This is in effect a claim to be vastly more sophisticated than the Bears, and it’s coming from some time-traveling quantum twerp who doesn’t seem to realize that finding 0day is laughably inefficient when a phish would accomplish the same with much less sorrow.  Not only that, but they continue to insist that not only did they use a vulnerability which apparently does not exist, but also that they were the only attacker inside the DNC.  That is, the person blogging and speaking to reporters knows buggerall about The Cyber, and [bad Russian accent] also is KGB cutout.  Lastly, as has been observed over and over again, the dox Gucci released were impressively boring and do not in any way further his alleged ideological goals.  Thomas Rid of King’s College Cambridge suggests, based on the quick turnaround between the DNC noticing Bears running around in their network, CrowdStrike’s involvement, and the sloppy appearance of Gucci, that the DNC leak was a panicky seat-of-the-pants attempt to salvage an otherwise blown operation, and not a very good one.  It’s evidently enough for KGB purposes to sow enough doubt to give a foothold to the whataboutists and conspiracy-mongers. The ThreatConnect guys’ theory, citing the ludicrous amplification of the whole thing on Russian state media and the low value of the dox, that Gucci’s stuff was ultimately more useful to Putin for reinforcing narratives on state media than as an active measure here in the US is very interesting.  But what was the primary purpose of the op, before CrowdStrike came along to blow the whole show sky-high: passive intelligence collection or active measures?  I lack the manpower and infrastructure to bug the Kremlin, so we’ll have to wait until something leaks.

As for Podesta, SecureWorks has this technical account of the phishing campaign that got him and this breakdown of their targets.  The phishing email that got Podesta turns up in the Wikileaks dump (link obviously goes to Wikileaks, approach with however much caution fits your paranoia level).  TG-4127, the group it’s associated with, is our old friends Fancy Bear again.  Much of the information published by DCLeaks also seems to have come from this phish, and as far as I’ve seen all of it was obtained by APT28, but I need to follow that rabbit hole a little further to see whether other phishing campaigns may have been involved.  This one got caught because of an opsec fail in the use of Bitly to mass-generate customized landing pages.  The phish itself wasn’t nearly as crude as it looks from the plaintext in WL.  Podesta would have seen this, also via @PwnAllTheThings:

This is pretty good, as it goes: the tipoff is accounts.googlemail.com and of course the URL at the fraudulent login page.  One has to wonder if they tried to put the source of the fake breach in Ukraine deliberately.  Maybe this phishing email may be what Putin was referring to when he tried to pin the leaks on the Ukrainian government?

Motherboard, Krypt3ia (who seems to be the original source here), and even the Daily Caller all agree based on the metadata that the Clinton Foundation dox were fake.  The Hill reports that the Clinton Foundation was able to turn up no evidence of a breach.  This seems kind of weird and haphazard, and casts doubt on the authenticity of Gucci’s other data dumps.  It’s certainly not the KGB’s best work.  It’s also, let’s be real, kind of weird that no emails either from or claiming to be from the Notorious HRC Server have turned up anywhere in all this mess.  Maybe they would have, if Trump hadn’t publicly asked the Russians to cough them up.  Who knows.

Lastly, the feds interrupted an attack on voter registration infrastructure in Illinois and Arizona before any damage was done.  Voter rolls are part of the public record, so there’s no intel-collection motive for this, although the KGB is somewhat notoriously bad at OSINT.  It remains unclear what was intended.

Anyway that’s what we know right now, and why we know it.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s