[Dailydave] "When you shoot at the king, you best not miss."
Adam Shostack
adam at shostack.org
Thu Jun 16 11:56:46 EDT 2016
It's entirely possible that this is a disinformation campaign, or that
attribution is hard, and Crowdstrike made a mistake:
http://www.csoonline.com/article/3084594/security/dnc-hacker-slams-crowdstrike-publishes-opposition-memo-on-donald-trump.html
On Thu, Jun 16, 2016 at 11:26:46AM -0400, dave aitel wrote:
| So I want to point out some things about this really weird DNC Hack. The
| only example I can think of where a nation-state hacked someone and then
| released the documents under a cover-account is North Korea and Sony
| Pictures Entertainment. I can see examples of other smaller services
| (Iran, etc.) doing this as well. North Korea, to be fair, doesn't have a
| lot to lose, so acting like this can make sense and probably showed some
| teeth at an important time.
| But Russia is a whole different kind of service! They have important
| connections to the United States, and having the first thing Hillary
| thinks if she wins the Presidency be "Let's get back at Russia for
| trying to take my campaign out" seems like a cost-benefit equation that
| would preclude this kind of action.
|
| Are there other examples of Russian intelligence doing this sort of
| thing? Is this a change from the norm? Surely this isn't what Russia
| wants the new norm to be, right?
|
| -dave
|
|
| Conversation <https://twitter.com/thegrugq/timelines/743231527639621632>
|
| 1.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 18h18 hours ago
| <https://twitter.com/pwnallthethings/status/743179750064037888>
|
| Now THIS is a really interesting development in #*DncHack*
| <https://twitter.com/hashtag/DncHack?src=hash>: @*Gawker*
| <https://twitter.com/Gawker> has & is publishing the DNC's Trump
| oppo research
|
| 97 retweets101 likes
| Re
| More
| 2.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 18h18 hours ago
| <https://twitter.com/pwnallthethings/status/743180111038472192>
|
| This is a big development, because it means whoever did #*DncHack*
| <https://twitter.com/hashtag/DncHack?src=hash> to get Trump oppo
| file was doing it (bear with me) in *support* of Trump.
|
| *View conversation*
| <https://twitter.com/pwnallthethings/status/743180111038472192>
| 35 retweets43 likes
| Reply
|
| Retweet
|
| 35
|
| Like
|
| 43
|
| More
| 3.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 18h18 hours ago
| <https://twitter.com/pwnallthethings/status/743180624731717636>
|
| How does this help Trump, you ask? It's a full dump. Trump gets lots
| of bad news today, but DNC loses ability to use contents strategically.
|
| *View conversation*
| <https://twitter.com/pwnallthethings/status/743180624731717636>
| 34 retweets45 likes
| Reply
|
| Retweet
|
| 34
|
| Like
|
| 45
|
| More
| 4.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 18h18 hours ago
| <https://twitter.com/pwnallthethings/status/743183682530324480>
|
| A few observations about this op 1) Another data point in Russian
| SIGINT strategically leaking stolen data to push a particular narrative.
|
| *View conversation*
| <https://twitter.com/pwnallthethings/status/743183682530324480>
| 22 retweets31 likes
| Reply
|
| Retweet
|
| 22
|
| Like
|
| 31
|
| More
| 5.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 18h18 hours ago
| <https://twitter.com/pwnallthethings/status/743184280008916992>
|
| 2) This para. V. bad for DNC if those are classification markings
| (but could be campaign "doc is sensitive" bluster)
|
| 16 retweets17 likes
| Reply
|
| Retweet
|
| 16
|
| Like
|
| 17
|
| More
| 6.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 18h18 hours ago
| <https://twitter.com/pwnallthethings/status/743184776547340288>
|
| 3) Gosh, I wonder what outlet Russian intelligence is going to use
| to launder these stolen documents.
|
| 21 retweets24 likes
| Reply
|
| Retweet
|
| 21
|
| Like
|
| 24
|
| More
| 7.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 18h18 hours ago
| <https://twitter.com/pwnallthethings/status/743184953546924033>
|
| 4) If you want to peruse the Trump oppo research directly, here's
| the PDF: https://assets.documentcloud.org/documents/2861555/1.pdf …
| <https://t.co/D6qUsqIoDN>
|
| *View conversation*
| <https://twitter.com/pwnallthethings/status/743184953546924033>
| 28 retweets27 likes
| Reply
|
| Retweet
|
| 28
|
| Like
|
| 27
|
| More
| 8.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 17h17 hours ago
| <https://twitter.com/pwnallthethings/status/743191210718797824>
|
| 5) Site apparently set up by the group that hacked DNC
| https://guccifer2.wordpress.com/ <https://t.co/AqXxuUwzS0>
|
| 21 retweets25 likes
| Reply
|
| Retweet
|
| 21
|
| Like
|
| 25
|
| More
| 9.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 17h17 hours ago
| <https://twitter.com/pwnallthethings/status/743191996437770241>
|
| 6) This is all of the text from the hacker's post, in case website
| gets taken down. Check out the broken English.
|
|
| 32 retweets29 likes
| Reply
|
| Retweet
|
| 32
|
| Like
|
| 29
|
| More
| 10.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 17h17 hours ago
| <https://twitter.com/pwnallthethings/status/743194146752565248>
|
| 7) Uh oh. This is an unfortunate document for Russia to stolen from
| under the noses of the DNC.
|
| 25 retweets29 likes
| Reply
|
| Retweet
|
| 25
|
| Like
|
| 29
|
| More
| 11.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 17h17 hours ago
| <https://twitter.com/pwnallthethings/status/743197064843104257>
|
| 8) Lol. Russian #*opsec*
| <https://twitter.com/hashtag/opsec?src=hash> fail.
|
| 65 retweets76 likes
| Reply
|
| Retweet
|
| 65
|
| Like
|
| 76
|
| More
| 12.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 17h17 hours ago
| <https://twitter.com/pwnallthethings/status/743199185596465152>
|
| 9) Better #*opsec* <https://twitter.com/hashtag/opsec?src=hash> in
| the "NatSec & Foreign Policy" doc. Attackers using VMs to open some
| (but clearly not all) docs
|
| 10 retweets12 likes
| Reply
|
| Retweet
|
| 10
|
| Like
|
| 12
|
| More
| 13.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 17h17 hours ago
| <https://twitter.com/pwnallthethings/status/743200699975086083>
|
| 10) Files from Russian Intelligence Agencies can contain viruses.
| It's safer to stay in Protected View
|
| 11 retweets19 likes
| Reply
|
| Retweet
|
| 11
|
| Like
|
| 19
|
| More
| 14.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 16h16 hours ago
| <https://twitter.com/pwnallthethings/status/743201610235514880>
|
| 11) Document #5 leaks via tracked changes (thx @*TheCyberSecExp*
| <https://twitter.com/TheCyberSecExp>) but it's not very interesting,
| and likely not hacker
|
| 5 retweets9 likes
| Reply
|
| Retweet
|
| 5
|
| Like
|
| 9
|
| More
| 15.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 16h16 hours ago
| <https://twitter.com/pwnallthethings/status/743203462683496448>
|
| Pwn All The Things Retweeted Peter Johnson
|
| 12) To clarify: leak is the RU-lang settings, not name (cover name
| references "Iron Felix"
| https://en.wikipedia.org/wiki/Felix_Dzerzhinsky …
| <https://t.co/E14IjtJv9b>)
|
| Pwn All The Things added,
|
| *Peter Johnson* @alcebaid
| @*pwnallthethings* Felix is really a pseudo
| *View conversation*
| <https://twitter.com/pwnallthethings/status/743203462683496448>
| 5 retweets9 likes
| Reply
|
| Retweet
|
| 5
|
| Like
|
| 9
|
| More
| 16.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 16h16 hours ago
| <https://twitter.com/pwnallthethings/status/743208737469509632>
|
| Pwn All The Things Retweeted (((davi - 德海)))
|
| 13) Another #*opsec* <https://twitter.com/hashtag/opsec?src=hash>
| fail. (This happened because they did an Export as PDF, and then
| later saved, w/ lang set to RU)
|
| Pwn All The Things added,
|
| *(((davi - 德海)))* @daviottenheimer
| @*pwnallthethings* "error! invalid hyperlinks" in Russian...
| *View conversation*
| <https://twitter.com/pwnallthethings/status/743208737469509632>
| 25 retweets27 likes
| Reply
|
| Retweet
|
| 25
|
| Like
|
| 27
|
| More
| 17.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 16h16 hours ago
| <https://twitter.com/pwnallthethings/status/743209989217587200>
|
| 14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username
| is founder of USSR secret police & likes laundering docs via Wikileaks.
|
| *View conversation*
| <https://twitter.com/pwnallthethings/status/743209989217587200>
| 64 retweets62 likes
| Reply
|
| Retweet
|
| 64
|
| Like
|
| 62
|
| More
| 18.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 16h16 hours ago
| <https://twitter.com/pwnallthethings/status/743211918995951616>
|
| 15) Spot the difference: Left: doc sent to Gawker (page 210). On
| right, same page in https://guccifer2.wordpress.com/
| <https://t.co/AqXxuUwzS0>
|
|
| 13 retweets18 likes
| Reply
|
| Retweet
|
| 13
|
| Like
|
| 18
|
| More
| 19.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 15h15 hours ago
| <https://twitter.com/pwnallthethings/status/743221774725300224>
|
| 16) Tangentially related: "VantageUploader" is the tool DNC use to
| share vids. JWT arg leaks author email in base64.
|
| 4 retweets12 likes
| Reply
|
| Retweet
|
| 4
|
| Like
|
| 12
|
| More
| 20.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 15h15 hours ago
| <https://twitter.com/pwnallthethings/status/743226558412918788>
|
| 17) Final piece of metadata: Creation date and software used to turn
| DOC into the Gawker PDF (note: could be journo)
|
|
| 4 retweets8 likes
| Reply
|
| Retweet
|
| 4
|
| Like
|
| 8
|
| More
| 21.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 15h15 hours ago
| <https://twitter.com/pwnallthethings/status/743228802646573060>
|
| 18) Metadata from the various docs
|
|
| 5 retweets3 likes
| Reply
|
| Retweet
|
| 5
|
| Like
|
| 3
|
| More
| 22.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 15h15 hours ago
| <https://twitter.com/pwnallthethings/status/743230570440826886>
|
| Pwn All The Things Retweeted Florian Wagner
|
| 19) @*_fl01* <https://twitter.com/_fl01> points out "Grizli777"
| indicates that pirated Office (2007) was used by the hacker.
|
| Pwn All The Things added,
|
| *Florian Wagner* @_fl01
| @*_fl01* @*pwnallthethings* Get it now ;) »Grizli777«'s cracked MS
| Office seems 2b popular among Russians and Romanians.
| 1.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 14h14 hours ago
| <https://twitter.com/pwnallthethings/status/743232989602156546>
|
| 20) Extra data-point: Author on The Smoking Gun's PDF is
| different again. (good chance this is TSG's journo)
|
| 4 retweets6 likes
| Reply
|
| Retweet
|
| 4
|
| Like
|
| 6
|
| More
| 2.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 3h3 hours ago
| <https://twitter.com/pwnallthethings/status/743408033691279361>
|
| 21) Missed this yesterday, but the hacker contacted TSG (and
| probably Gawker) via a GMZ.us (anoymous) email addr
|
| 7 retweets3 likes
| Reply
|
| Retweet
|
| 7
|
| Like
|
| 3
|
| More
| 3.
| *Pwn All The Things* @*pwnallthethings*
| <https://twitter.com/pwnallthethings> 2h2 hours ago
| <https://twitter.com/pwnallthethings/status/743416709281898496>
|
| Pwn All The Things Retweeted CrowdStrike
|
| 22) A weak data point, but @*CrowdStrike*
| <https://twitter.com/CrowdStrike> also says Guccifer2.0 doesn't
| change their attribution of #*DncHack*
| <https://twitter.com/hashtag/DncHack?src=hash> to Russia
|
| Pwn All The Things added,
|
| *CrowdStrike* @CrowdStrike
| New hacker claims credit for DNC hack. CrowdStrike fully stands
| by attribution to Russian government
| https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ …
| 1 retweet4 likes
| Reply
|
| Retweet
|
| 1
|
| Like
|
| 4
|
| More
| *View conversation*
| <https://twitter.com/pwnallthethings/status/743230570440826886>
| 6 retweets12 likes
| Reply
|
| Retweet
|
| 6
|
| Like
|
| 12
|
| More
|
|
|
| _______________________________________________
| Dailydave mailing list
| Dailydave at lists.immunityinc.com
| https://lists.immunityinc.com/mailman/listinfo/dailydave
--
Don't miss out on my news, which comes out roughly once a quarter.
http://adam.shostack.org/newthing.html
More information about the Dailydave
mailing list