[Dailydave] "When you shoot at the king, you best not miss."

dave aitel dave at immunityinc.com
Thu Jun 16 11:26:46 EDT 2016


So I want to point out some things about this really weird DNC Hack. The
only example I can think of where a nation-state hacked someone and then
released the documents under a cover-account is North Korea and Sony
Pictures Entertainment. I can see examples of other smaller services
(Iran, etc.) doing this as well. North Korea, to be fair, doesn't have a
lot to lose, so acting like this can make sense and probably showed some
teeth at an important time.
But Russia is a whole different kind of service! They have important
connections to the United States, and having the first thing Hillary
thinks if she wins the Presidency be "Let's get back at Russia for
trying to take my campaign out" seems like a cost-benefit equation that
would preclude this kind of action.

Are there other examples of Russian intelligence doing this sort of
thing? Is this a change from the norm? Surely this isn't what Russia
wants the new norm to be, right?

-dave


    Conversation <https://twitter.com/thegrugq/timelines/743231527639621632>

 1.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 18h18 hours ago
    <https://twitter.com/pwnallthethings/status/743179750064037888>

    Now THIS is a really interesting development in #*DncHack*
    <https://twitter.com/hashtag/DncHack?src=hash>: @*Gawker*
    <https://twitter.com/Gawker> has & is publishing the DNC's Trump
    oppo research

    97 retweets101 likes
    Re
    More
 2.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 18h18 hours ago
    <https://twitter.com/pwnallthethings/status/743180111038472192>

    This is a big development, because it means whoever did #*DncHack*
    <https://twitter.com/hashtag/DncHack?src=hash> to get Trump oppo
    file was doing it (bear with me) in *support* of Trump.

    *View conversation*
    <https://twitter.com/pwnallthethings/status/743180111038472192>
    35 retweets43 likes
    Reply
     
    Retweet
     
    35
     
    Like
     
    43
     
    More
 3.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 18h18 hours ago
    <https://twitter.com/pwnallthethings/status/743180624731717636>

    How does this help Trump, you ask? It's a full dump. Trump gets lots
    of bad news today, but DNC loses ability to use contents strategically.

    *View conversation*
    <https://twitter.com/pwnallthethings/status/743180624731717636>
    34 retweets45 likes
    Reply
     
    Retweet
     
    34
     
    Like
     
    45
     
    More
 4.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 18h18 hours ago
    <https://twitter.com/pwnallthethings/status/743183682530324480>

    A few observations about this op 1) Another data point in Russian
    SIGINT strategically leaking stolen data to push a particular narrative.

    *View conversation*
    <https://twitter.com/pwnallthethings/status/743183682530324480>
    22 retweets31 likes
    Reply
     
    Retweet
     
    22
     
    Like
     
    31
     
    More
 5.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 18h18 hours ago
    <https://twitter.com/pwnallthethings/status/743184280008916992>

    2) This para. V. bad for DNC if those are classification markings
    (but could be campaign "doc is sensitive" bluster)

    16 retweets17 likes
    Reply
     
    Retweet
     
    16
     
    Like
     
    17
     
    More
 6.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 18h18 hours ago
    <https://twitter.com/pwnallthethings/status/743184776547340288>

    3) Gosh, I wonder what outlet Russian intelligence is going to use
    to launder these stolen documents.

    21 retweets24 likes
    Reply
     
    Retweet
     
    21
     
    Like
     
    24
     
    More
 7.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 18h18 hours ago
    <https://twitter.com/pwnallthethings/status/743184953546924033>

    4) If you want to peruse the Trump oppo research directly, here's
    the PDF: https://assets.documentcloud.org/documents/2861555/1.pdf …
    <https://t.co/D6qUsqIoDN>

    *View conversation*
    <https://twitter.com/pwnallthethings/status/743184953546924033>
    28 retweets27 likes
    Reply
     
    Retweet
     
    28
     
    Like
     
    27
     
    More
 8.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 17h17 hours ago
    <https://twitter.com/pwnallthethings/status/743191210718797824>

    5) Site apparently set up by the group that hacked DNC
    https://guccifer2.wordpress.com/  <https://t.co/AqXxuUwzS0>

    21 retweets25 likes
    Reply
     
    Retweet
     
    21
     
    Like
     
    25
     
    More
 9.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 17h17 hours ago
    <https://twitter.com/pwnallthethings/status/743191996437770241>

    6) This is all of the text from the hacker's post, in case website
    gets taken down. Check out the broken English.

     
    32 retweets29 likes
    Reply
     
    Retweet
     
    32
     
    Like
     
    29
     
    More
10.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 17h17 hours ago
    <https://twitter.com/pwnallthethings/status/743194146752565248>

    7) Uh oh. This is an unfortunate document for Russia to stolen from
    under the noses of the DNC.

    25 retweets29 likes
    Reply
     
    Retweet
     
    25
     
    Like
     
    29
     
    More
11.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 17h17 hours ago
    <https://twitter.com/pwnallthethings/status/743197064843104257>

    8) Lol. Russian #*opsec*
    <https://twitter.com/hashtag/opsec?src=hash> fail.

    65 retweets76 likes
    Reply
     
    Retweet
     
    65
     
    Like
     
    76
     
    More
12.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 17h17 hours ago
    <https://twitter.com/pwnallthethings/status/743199185596465152>

    9) Better #*opsec* <https://twitter.com/hashtag/opsec?src=hash> in
    the "NatSec & Foreign Policy" doc. Attackers using VMs to open some
    (but clearly not all) docs

    10 retweets12 likes
    Reply
     
    Retweet
     
    10
     
    Like
     
    12
     
    More
13.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 17h17 hours ago
    <https://twitter.com/pwnallthethings/status/743200699975086083>

    10) Files from Russian Intelligence Agencies can contain viruses.
    It's safer to stay in Protected View

    11 retweets19 likes
    Reply
     
    Retweet
     
    11
     
    Like
     
    19
     
    More
14.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 16h16 hours ago
    <https://twitter.com/pwnallthethings/status/743201610235514880>

    11) Document #5 leaks via tracked changes (thx @*TheCyberSecExp*
    <https://twitter.com/TheCyberSecExp>) but it's not very interesting,
    and likely not hacker

    5 retweets9 likes
    Reply
     
    Retweet
     
    5
     
    Like
     
    9
     
    More
15.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 16h16 hours ago
    <https://twitter.com/pwnallthethings/status/743203462683496448>

    Pwn All The Things Retweeted Peter Johnson

    12) To clarify: leak is the RU-lang settings, not name (cover name
    references "Iron Felix"
    https://en.wikipedia.org/wiki/Felix_Dzerzhinsky …
    <https://t.co/E14IjtJv9b>)

    Pwn All The Things added,

    *Peter Johnson* @alcebaid
    @*pwnallthethings* Felix is really a pseudo
    *View conversation*
    <https://twitter.com/pwnallthethings/status/743203462683496448>
    5 retweets9 likes
    Reply
     
    Retweet
     
    5
     
    Like
     
    9
     
    More
16.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 16h16 hours ago
    <https://twitter.com/pwnallthethings/status/743208737469509632>

    Pwn All The Things Retweeted (((davi - 德海)))

    13) Another #*opsec* <https://twitter.com/hashtag/opsec?src=hash>
    fail. (This happened because they did an Export as PDF, and then
    later saved, w/ lang set to RU)

    Pwn All The Things added,

    *(((davi - 德海)))* @daviottenheimer
    @*pwnallthethings* "error! invalid hyperlinks" in Russian...
    *View conversation*
    <https://twitter.com/pwnallthethings/status/743208737469509632>
    25 retweets27 likes
    Reply
     
    Retweet
     
    25
     
    Like
     
    27
     
    More
17.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 16h16 hours ago
    <https://twitter.com/pwnallthethings/status/743209989217587200>

    14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username
    is founder of USSR secret police & likes laundering docs via Wikileaks.

    *View conversation*
    <https://twitter.com/pwnallthethings/status/743209989217587200>
    64 retweets62 likes
    Reply
     
    Retweet
     
    64
     
    Like
     
    62
     
    More
18.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 16h16 hours ago
    <https://twitter.com/pwnallthethings/status/743211918995951616>

    15) Spot the difference: Left: doc sent to Gawker (page 210). On
    right, same page in https://guccifer2.wordpress.com/ 
    <https://t.co/AqXxuUwzS0>

     
    13 retweets18 likes
    Reply
     
    Retweet
     
    13
     
    Like
     
    18
     
    More
19.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 15h15 hours ago
    <https://twitter.com/pwnallthethings/status/743221774725300224>

    16) Tangentially related: "VantageUploader" is the tool DNC use to
    share vids. JWT arg leaks author email in base64.

    4 retweets12 likes
    Reply
     
    Retweet
     
    4
     
    Like
     
    12
     
    More
20.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 15h15 hours ago
    <https://twitter.com/pwnallthethings/status/743226558412918788>

    17) Final piece of metadata: Creation date and software used to turn
    DOC into the Gawker PDF (note: could be journo)

     
    4 retweets8 likes
    Reply
     
    Retweet
     
    4
     
    Like
     
    8
     
    More
21.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 15h15 hours ago
    <https://twitter.com/pwnallthethings/status/743228802646573060>

    18) Metadata from the various docs

     
    5 retweets3 likes
    Reply
     
    Retweet
     
    5
     
    Like
     
    3
     
    More
22.
    *Pwn All The Things* ‏@*pwnallthethings* 
    <https://twitter.com/pwnallthethings> 15h15 hours ago
    <https://twitter.com/pwnallthethings/status/743230570440826886>

    Pwn All The Things Retweeted Florian Wagner

    19) @*_fl01* <https://twitter.com/_fl01> points out "Grizli777"
    indicates that pirated Office (2007) was used by the hacker.

    Pwn All The Things added,

    *Florian Wagner* @_fl01
    @*_fl01* @*pwnallthethings* Get it now ;) »Grizli777«'s cracked MS
    Office seems 2b popular among Russians and Romanians.
     1.
        *Pwn All The Things* ‏@*pwnallthethings* 
        <https://twitter.com/pwnallthethings> 14h14 hours ago
        <https://twitter.com/pwnallthethings/status/743232989602156546>

        20) Extra data-point: Author on The Smoking Gun's PDF is
        different again. (good chance this is TSG's journo)

        4 retweets6 likes
        Reply
         
        Retweet
         
        4
         
        Like
         
        6
         
        More
     2.
        *Pwn All The Things* ‏@*pwnallthethings* 
        <https://twitter.com/pwnallthethings> 3h3 hours ago
        <https://twitter.com/pwnallthethings/status/743408033691279361>

        21) Missed this yesterday, but the hacker contacted TSG (and
        probably Gawker) via a GMZ.us (anoymous) email addr

        7 retweets3 likes
        Reply
         
        Retweet
         
        7
         
        Like
         
        3
         
        More
     3.
        *Pwn All The Things* ‏@*pwnallthethings* 
        <https://twitter.com/pwnallthethings> 2h2 hours ago
        <https://twitter.com/pwnallthethings/status/743416709281898496>

        Pwn All The Things Retweeted CrowdStrike

        22) A weak data point, but @*CrowdStrike*
        <https://twitter.com/CrowdStrike> also says Guccifer2.0 doesn't
        change their attribution of #*DncHack*
        <https://twitter.com/hashtag/DncHack?src=hash> to Russia

        Pwn All The Things added,

        *CrowdStrike* @CrowdStrike
        New hacker claims credit for DNC hack. CrowdStrike fully stands
        by attribution to Russian government
        https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ …
        1 retweet4 likes
        Reply
         
        Retweet
         
        1
         
        Like
         
        4
         
        More
    *View conversation*
    <https://twitter.com/pwnallthethings/status/743230570440826886>
    6 retweets12 likes
    Reply
     
    Retweet
     
    6
     
    Like
     
    12
     
    More



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg
Type: image/jpeg
Size: 3846 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0001.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBSKVuXIAAALo3.jpg
Type: image/jpeg
Size: 57357 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0024.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBSnM2WkAApNd9.jpg
Type: image/jpeg
Size: 54130 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0025.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBYdsHWgAA53kN.jpg
Type: image/jpeg
Size: 89956 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0026.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBZKsnXEAAC9y2.jpg
Type: image/jpeg
Size: 128457 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0027.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBZLXJXEAAgOyW.jpg
Type: image/jpeg
Size: 38131 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0028.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBZKLTXIAQGlIX.jpg
Type: image/jpeg
Size: 17914 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0029.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBZLaXXIAA3kJ-.jpg
Type: image/jpeg
Size: 68416 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0030.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBbIr3WQAAgkGx.jpg
Type: image/jpeg
Size: 19319 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0031.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBdykWWEAALE9E.jpg
Type: image/jpeg
Size: 12133 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0032.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBfuApWAAAuD8a.jpg
Type: image/jpeg
Size: 6841 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0033.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBhGJUWMAEgFQ7.jpg
Type: image/jpeg
Size: 28509 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0034.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBh7IhWEAAO6dV.jpg
Type: image/jpeg
Size: 6173 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0035.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBfs3FUsAAtuk7.jpg
Type: image/jpeg
Size: 107218 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0036.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBrTJtWEAQwnHT.jpg
Type: image/jpeg
Size: 200905 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0037.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClBrR5KWkAACaFo.jpg
Type: image/jpeg
Size: 200942 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0038.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClB0Q2LWYAArFdA.jpg
Type: image/jpeg
Size: 75076 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0039.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClB4nXdWgAIRY-K.jpg
Type: image/jpeg
Size: 4932 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0040.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClB4nYMWgAEfvcI.jpg
Type: image/jpeg
Size: 5077 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0041.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClB6p5XWgAQZXCn.jpg
Type: image/jpeg
Size: 8209 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0042.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClB6p6QXEAAVA4M.jpg
Type: image/jpeg
Size: 7155 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0043.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClB6p7gXEAQc0P1.jpg
Type: image/jpeg
Size: 10559 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0044.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClB38YpWIAAOOzt.jpg
Type: image/jpeg
Size: 5833 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0045.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClB-dwjWYAEmW2x.jpg
Type: image/jpeg
Size: 2531 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0046.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ClEdqi1WIAA1u9Y.jpg
Type: image/jpeg
Size: 42130 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160616/dd8894ae/attachment-0047.jpg>


More information about the Dailydave mailing list