Hvat’s troll nema þat?

There have been two interesting developments in the world of organized political trolls today:

  1. The Daily Beast discovered that Russian Facebook ops did manage to incite some real-world organizing after all, but I’m linking you to Bellingcat’s writeup instead.
  2. It has generally been expected that Kremlin-backed trolls would go after Merkel, but instead most of the German- and English-language material is being generated by the American alt-right, and the Russians are nowhere to be found.

A few things stand out.  First, the lines between state-run campaigns, astroturf, and citizen propagandizing were never clear to begin with, but soon it’s going to be impossible to draw them at all.  Pretending to be Americans themselves, the Facebook Russians egg on actual right-wing American activists to organize rallies (this is so bananas I almost can’t get my head around it).  Private American citizens organize anonymously online to carry out a propaganda campaign directed towards the German electorate against a German presidential candidate.  Neither of these fit into our existing paradigms of an influence op, but neither are they citizen organizing in any sense we’re accustomed to.

Second, it’s a mistake to get hung up on numbers to the exclusion of all else when considering a decentralized political movement like the alt-right.  Numbers matter for forming voting blocs, but not for the other corrosive effects they can have on public discourse and civil society.  I’m not sure what to do about that, but yelling about how it’s only like two hundred dudes is no more helpful here than in the case of the jihadis.

Lastly, plenty of people have since 9/11 noted the rise of the non-state actor in the context of transnational Islamist terror groups like AQ and Daesh, but we have probably ascribed too much weight to the jihadis as jihadis: it will likely turn out that they were merely the first of the truly powerful non-state actors.  I’ll leave aside the absurdity of a transnational alliance of ethnonationalists for another post, but at least jihadi tactics are in harmony with their universalist ideology.  Anyway, technology has brought certain activities that were once the exclusive domain of the state within reach for the well-organized civilian: large-scale disinformation campaigns, geospatial intelligence, weaponized drones, etc.  It remains to be seen whether the centralization of data by the tech giants will have any mitigating effect on the decentralization of capabilities.

Advertisements

Regarding Kaspersky

Why do threat modeling when you can split into warring factions, after all?

I cannot for the life of me understand why this debate is getting so fraught, because it’s really quite straightforward.  This has next to nothing to do with the personal character of Yevgeny Kaspersky. I don’t know him and I don’t feel myself qualified to comment on him, although for what it’s worth he did attend the KGB’s technical college. It has everything to do with:

  1. your supply chain
  2. the personal character of Vladimir Putin
  3. the character of Vladimir Putin’s alleged government

Being nervous about Kaspersky doesn’t require that you think Yevgeny is a devious KGB assigned to infiltrate the networks of Russia’s adversaries by cunningly producing a high-quality security product. That’s goofy. Most likely Yevgeny is exactly what he says he is, and none of that matters, because Putin is a mafia thug. Kaspersky lives in Russia, his family lives in Russia, the families of most of his employees live in Russia, and the supply chain originates in Russia, all within reach of Vladimir Vladimirovich’s mafia thuggery.

There’s a lot of RUMINT out there regarding intel collaboration with the FSB and backdoors etc, but the truth-value of the RUMINT is beside the point.  Even if, as is likely, Kaspersky products are not backdoored now, there is reason to fear that in the future the Russian government may choose to compel cooperation, either through financial or physical intimidation.

Now that real-time updates are the bread-and-butter of security products, I’m curious to know how the anti-anti-Kaspersky crowd plans on defending against some future backdoor.  This is not a hypothetical: you may remember Russian intelligence owned MEDoc’s update servers and used it to push out a little exfil-and-wipe program called Nyetya to anyone who pays taxes online in Ukraine.  It was pointed out on last week’s Risky Business that aside from the security products, Kaspersky has been developing a secure operating system for various kinds of critical infrastructure, which presents an even bigger threat than Nyetya-esque attacks.  In a world in which CRASHOVERRIDE already exists, I’m not sure I want to make infrastructure attacks easier for any state-level actor.

So no, it is not “Russophobia” to suggest that perhaps it’s not the wisest idea to run Kaspersky products on natsec and other critical infrastructure. Don’t be horrible: people like me who are worried about Kaspersky products are worried about a situation in which threat of violence is used to force Yevgeny to play ball. Shut the fuck up and do your threat modeling.

Lying under OAUTH

I don’t like this new thing where I’m going about my own damn business and suddenly end up on the front lines of the hybrid war, but that’s the cyberpunk dystopia we live in now.  Like nearly everyone inside the Beltway, my workplace got hit with the Google Docs OAUTH worm yesterday afternoon around 1500.  Thanks to Zeynep Tufekci’s efforts on Twitter, I was wise to it well before we actually saw one, and I managed to head my idiot comrades off from clicking on any of them.  I found myself speculating wildly this morning in a Twitter thread, but that’s the rankest Jeet-Heerishness so I’m hopping over to the blog where this belongs.  If you don’t know what an OAUTH phish is, read this.

It’s much too early for attribution, of course, but last time something like this happened, it came from APT28, who, as you may recall from my It Was The Russians attribution roundup post a few weeks ago, are the Russians.  While I should probably wait for further information from those who saw the landing page while there was still a domain to WHOIS, I’m inclined to believe this was intel collection— not necessarily from Moscow— until we have some negative confirmation.  What little I’ve seen of the WHOIS data (Google nuked everything before I got to clap eyes on the genuine article) shows the domains were all registered before TrendLab’s report on APT28’s use of faux-Google OAUTH exploits.  The apparent targets are consistent with the intel theory, as is the technique, if you look at it from a spyish angle instead of a hackish one.

The best argument against a state-level actor is that the phish was a dragnet.  Past OAUTH worms and other phishing campaigns from APT28 and Friends have overwhelmingly been spearphishes.  By contrast, this looks to many people like it could be a bunch of rubes looking to make a buck.

Yeah.

Sure.

Tell me another one.

The targets involved were media, feds, NGOs, contractors, and apparently academia.  The business sector only seems to have caught it second hand.  This is consistent with the interests of an intelligence service, but not with financial motives.  It’s still unclear where it began, but according to the above Gizmodo article, EFF thinks it may have started at Buzzfeed.  My own first hint of incoming fire was chatter early yesterday afternoon about a Google docs phish affecting journalists and media companies.  I put out some feelers and started hearing about it directly from friends in politics and the media around 1400 yesterday.  In DC it spread fast, like the bubonic plague-themed illustration of exponential growth that my middle school algebra teacher put on for the edification and amusement of a bunch of morbid eighth graders, hopping from journalists onto government networks and thence to NGOs and the private sector.  The ones I saw all came from a compromised address at USAID.

Then, the hard part of a spearphish is the intel-gathering that has to happen beforehand.  Public-facing social media will only tell you so much.  You’re not going to find out about a journalist’s confidential sources there, and many feds avoid realname social media entirely, because of the inherent opsec problem.  If only there was an easy way to map social networks in Washington so you could narrowly focus your OSINT efforts on the likeliest victims.

Enter a malicious Google app that siphons up your contacts and blasts itself out to your entire network.  That Mailinator address, presumably intended to detect whether the messages sent successfully, was CCed for every single hop the phish made between accounts.  Someone has that full dataset somewhere, even though Google nuked the app and the related domains, and is making it into a lovely network graphic with pretty colors and all.

As a phish searching for financial data, this campaign isn’t the greatest: it doesn’t catch any credentials that could be checked against banks or other accounts, and there doesn’t seem to have been a malware payload besides the mischievous app.  As a way to map networks and gather intelligence for a more sophisticated spearphishing campaign while looking like stupid crime, it’s brilliant.  So if there’s another, more subtle round of OAUTH spearphishes hitting intel targets any time soon, you’ll find me at a corner table at the Hamilton in the most disreputable clothes I own, inhaling cocktails and looking smug.

There Is A Fancy Bear In The Woods…

I set myself to piece together a full account of what our glorious leader likes to call The Cyber, so here goes.  Even without the IC’s TS-SCI Ears-Only Eat Before Reading intel, the attribution is not seriously in doubt.  In fact I am not going to use any IC sources at all: I can prove to you that it was the Russians solely with open-source private-sector intel.  Onward.

The DNC breach is the most straightforward.  It was carried out by APT28 (Fancy Bear, Sofacy, GRU) and APT29 (Cozy Bear, FSB).  These groups are Russian covers.  This was known well before the DNC hacks: these groups operate out of Russian time zones, build their code in Russian-language environments, and only seem to attack targets of interest to Putin’s ‘government’.  There’s more history of these threat groups here and here.

Guccifer 2.0 claims to be a Romanian, like the original.  They’re not.  The consensus is that Gucci is six KGB politicals in an unconvincing black hacker hoodie (TW: fake Cyrillic). To start with, a chat with a reporter from Motherboard revealed that Gucci does not, in fact, speak correct Romanian, and the metadata is riddled with Russian, as spotted by PwnAllTheThings (although interestingly suggesting a wannabe hacktivist rather than GRU).  Linguistic analysis of their English suggests Russian is a more likely native language than Romanian.  Later, they sent a written statement displaying some of the same grammatical markers to a cybersecurity conference hosted in London by PSBE Futures Group.  To cement the case against Gucci’s personhood, they cleaned up their English and their metadata soon after the first interview. As to The Cyber, in the chat interview with Motherboard, Gucci claims to have broken into the DNC via an NGP VAN 0day in the summer of 2015, except that:

  1. CrowdStrike found no such thing.
  2. NGP VAN is a cloud-based service not stored locally on any DNC machines and is not a particularly efficient attack vector.
  3. Any breach would have been spotted when NGP VAN did the Dec. 2015 audit to figure out how the Sanders campaign wound up seeing the Clinton donor and voter rolls.
  4. NGP VAN is sufficiently specialized and obscure that there isn’t a commercial market for 0days.

This is in effect a claim to be vastly more sophisticated than the Bears, and it’s coming from some time-traveling quantum twerp who doesn’t seem to realize that finding 0day is laughably inefficient when a phish would accomplish the same with much less sorrow.  Not only that, but they continue to insist that not only did they use a vulnerability which apparently does not exist, but also that they were the only attacker inside the DNC.  That is, the person blogging and speaking to reporters knows buggerall about The Cyber, and [bad Russian accent] also is KGB cutout.  Lastly, as has been observed over and over again, the dox Gucci released were impressively boring and do not in any way further his alleged ideological goals.  Thomas Rid of King’s College Cambridge suggests, based on the quick turnaround between the DNC noticing Bears running around in their network, CrowdStrike’s involvement, and the sloppy appearance of Gucci, that the DNC leak was a panicky seat-of-the-pants attempt to salvage an otherwise blown operation, and not a very good one.  It’s evidently enough for KGB purposes to sow enough doubt to give a foothold to the whataboutists and conspiracy-mongers. The ThreatConnect guys’ theory, citing the ludicrous amplification of the whole thing on Russian state media and the low value of the dox, that Gucci’s stuff was ultimately more useful to Putin for reinforcing narratives on state media than as an active measure here in the US is very interesting.  But what was the primary purpose of the op, before CrowdStrike came along to blow the whole show sky-high: passive intelligence collection or active measures?  I lack the manpower and infrastructure to bug the Kremlin, so we’ll have to wait until something leaks.

As for Podesta, SecureWorks has this technical account of the phishing campaign that got him and this breakdown of their targets.  The phishing email that got Podesta turns up in the Wikileaks dump (link obviously goes to Wikileaks, approach with however much caution fits your paranoia level).  TG-4127, the group it’s associated with, is our old friends Fancy Bear again.  Much of the information published by DCLeaks also seems to have come from this phish, and as far as I’ve seen all of it was obtained by APT28, but I need to follow that rabbit hole a little further to see whether other phishing campaigns may have been involved.  This one got caught because of an opsec fail in the use of Bitly to mass-generate customized landing pages.  The phish itself wasn’t nearly as crude as it looks from the plaintext in WL.  Podesta would have seen this, also via @PwnAllTheThings:

This is pretty good, as it goes: the tipoff is accounts.googlemail.com and of course the URL at the fraudulent login page.  One has to wonder if they tried to put the source of the fake breach in Ukraine deliberately.  Maybe this phishing email may be what Putin was referring to when he tried to pin the leaks on the Ukrainian government?

Motherboard, Krypt3ia (who seems to be the original source here), and even the Daily Caller all agree based on the metadata that the Clinton Foundation dox were fake.  The Hill reports that the Clinton Foundation was able to turn up no evidence of a breach.  This seems kind of weird and haphazard, and casts doubt on the authenticity of Gucci’s other data dumps.  It’s certainly not the KGB’s best work.  It’s also, let’s be real, kind of weird that no emails either from or claiming to be from the Notorious HRC Server have turned up anywhere in all this mess.  Maybe they would have, if Trump hadn’t publicly asked the Russians to cough them up.  Who knows.

Lastly, the feds interrupted an attack on voter registration infrastructure in Illinois and Arizona before any damage was done.  Voter rolls are part of the public record, so there’s no intel-collection motive for this, although the KGB is somewhat notoriously bad at OSINT.  It remains unclear what was intended.

Anyway that’s what we know right now, and why we know it.