[Dailydave] "When you shoot at the king, you best not miss."

Mara Tam marasawr at gmail.com
Thu Jun 16 17:59:28 EDT 2016


Leaving aside problems with assuming that this is definitely state-sponsored, it is worth reading through the Information Security Doctrine of the Russian Federation.[1] N.B. This has been in place since 2000, and is due to be updated shortly. 

This Diplomaatia piece surveys the substance of likely changes as well as the motivations driving them.[2] There have been interim update of sorts in changes to the military doctrine from 2010,[3] and from 2014.[4] But, lest one be tempted to shout ‘Ah-HA!’, the US and Russia have been working fitfully towards something like the Sino-American and Sino-Russian non-aggression pacts for ICT since 2013. If Guccifer 2.0 is a proxy acting at the direction of the Russian state, then Russia has been caught violating a core tenet of their own ICT security doctrine (i.e. interfering in the internal affairs of a foreign power), which would be very extremely not good.[5] 

That said, it is worth keeping in mind that an actor contracted by the state to engage in information warfare may contract to non-state clients as well. And here we trip over the fuzzy grey lines separating ‘sponsored’, ‘sanctioned’, and ’tolerated'. Attribution is hard.

-mara
_________
[1] http://archive.mid.ru/bdomp/ns-osndoc.nsf/1e5f0de28fe77fdcc32575d900298676/2deaa9ee15ddd24bc32575d9002c442b!OpenDocument
[2] http://www.diplomaatia.ee/en/article/venemaa-foderatsiooni-soovid-it-valdkonna-reguleerimisel/
[3] https://globalvoices.org/2010/02/23/russian-military-doctrine/
[4] Mostly the same as 2010, some additional language specific to the information space in conflict. https://www.offiziere.ch/wp-content/uploads-001/2015/08/Russia-s-2014-Military-Doctrine.pdf
[5] For the purposes of this thought experiment, Georgia, Crimea, Kharkiv, Luhansk, and Donetsk are not ‘foreign’. 




> On 16 Jun 2016, at 11:26, dave aitel <dave at immunityinc.com> wrote:
> 
> So I want to point out some things about this really weird DNC Hack. The only example I can think of where a nation-state hacked someone and then released the documents under a cover-account is North Korea and Sony Pictures Entertainment. I can see examples of other smaller services (Iran, etc.) doing this as well. North Korea, to be fair, doesn't have a lot to lose, so acting like this can make sense and probably showed some teeth at an important time.
> But Russia is a whole different kind of service! They have important connections to the United States, and having the first thing Hillary thinks if she wins the Presidency be "Let's get back at Russia for trying to take my campaign out" seems like a cost-benefit equation that would preclude this kind of action.
> 
> Are there other examples of Russian intelligence doing this sort of thing? Is this a change from the norm? Surely this isn't what Russia wants the new norm to be, right?
> 
> -dave
> 
> Conversation
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  18h18 hours ago
> Now THIS is a really interesting development in #DncHack: @Gawker has & is publishing the DNC's Trump oppo research
> 
> 97 retweets101 likes
> Re  
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  18h18 hours ago
> This is a big development, because it means whoever did #DncHack to get Trump oppo file was doing it (bear with me) in *support* of Trump.
> View conversation35 retweets43 likes
> Reply     Retweet   35                             Like   43                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  18h18 hours ago
> How does this help Trump, you ask? It's a full dump. Trump gets lots of bad news today, but DNC loses ability to use contents strategically.
> View conversation34 retweets45 likes
> Reply     Retweet   34                             Like   45                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  18h18 hours ago
> A few observations about this op
> 1) Another data point in Russian SIGINT strategically leaking stolen data to push a particular narrative.
> 
> View conversation22 retweets31 likes
> Reply     Retweet   22                             Like   31                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  18h18 hours ago
> 2) This para. V. bad for DNC if those are classification markings (but could be campaign "doc is sensitive" bluster)
> <ClBSKVuXIAAALo3.jpg>
> 16 retweets17 likes
> Reply     Retweet   16                             Like   17                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  18h18 hours ago
> 3) Gosh, I wonder what outlet Russian intelligence is going to use to launder these stolen documents.
> <ClBSnM2WkAApNd9.jpg>
> 21 retweets24 likes
> Reply     Retweet   21                             Like   24                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  18h18 hours ago
> 4) If you want to peruse the Trump oppo research directly, here's the PDF: https://assets.documentcloud.org/documents/2861555/1.pdf> View conversation28 retweets27 likes
> Reply     Retweet   28                             Like   27                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  17h17 hours ago
> 5) Site apparently set up by the group that hacked DNC https://guccifer2.wordpress.com/ 
> <ClBYdsHWgAA53kN.jpg>
> 21 retweets25 likes
> Reply     Retweet   21                             Like   25                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  17h17 hours ago
> 6) This is all of the text from the hacker's post, in case website gets taken down. Check out the broken English.
> <ClBZKsnXEAAC9y2.jpg>
>    
> <ClBZLXJXEAAgOyW.jpg>
> <ClBZKLTXIAQGlIX.jpg>
> <ClBZLaXXIAA3kJ-.jpg>
> 32 retweets29 likes
> Reply     Retweet   32                             Like   29                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  17h17 hours ago
> 7) Uh oh. This is an unfortunate document for Russia to stolen from under the noses of the DNC.
> <ClBbIr3WQAAgkGx.jpg>
> 25 retweets29 likes
> Reply     Retweet   25                             Like   29                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  17h17 hours ago
> 8) Lol. Russian #opsec fail.
> <ClBdykWWEAALE9E.jpg>
> 65 retweets76 likes
> Reply     Retweet   65                             Like   76                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  17h17 hours ago
> 9) Better #opsec in the "NatSec & Foreign Policy" doc. Attackers using VMs to open some (but clearly not all) docs
> <ClBfuApWAAAuD8a.jpg>
> 10 retweets12 likes
> Reply     Retweet   10                             Like   12                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  17h17 hours ago
> 10) Files from Russian Intelligence Agencies can contain viruses. It's safer to stay in Protected View
> <ClBhGJUWMAEgFQ7.jpg>
> 11 retweets19 likes
> Reply     Retweet   11                             Like   19                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  16h16 hours ago
> 11) Document #5 leaks via tracked changes (thx @TheCyberSecExp) but it's not very interesting, and likely not hacker
> <ClBh7IhWEAAO6dV.jpg>
> 5 retweets9 likes
> Reply     Retweet   5                             Like   9                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  16h16 hours ago
> Pwn All The Things Retweeted Peter Johnson
> 12) To clarify: leak is the RU-lang settings, not name (cover name references "Iron Felix" https://en.wikipedia.org/wiki/Felix_Dzerzhinsky …)
> Pwn All The Things added,
> Peter Johnson @alcebaid
> @pwnallthethings Felix is really a pseudo
> View conversation5 retweets9 likes
> Reply     Retweet   5                             Like   9                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  16h16 hours ago
> Pwn All The Things Retweeted (((davi - 德海)))
> 13) Another #opsec fail. (This happened because they did an Export as PDF, and then later saved, w/ lang set to RU)
> Pwn All The Things added,
> <ClBfs3FUsAAtuk7.jpg>
> (((davi - 德海))) @daviottenheimer
> @pwnallthethings "error! invalid hyperlinks" in Russian... 
> View conversation25 retweets27 likes
> Reply     Retweet   25                             Like   27                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  16h16 hours ago
> 14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username is founder of USSR secret police & likes laundering docs via Wikileaks.
> View conversation64 retweets62 likes
> Reply     Retweet   64                             Like   62                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  16h16 hours ago
> 15) Spot the difference: Left: doc sent to Gawker (page 210). On right, same page in https://guccifer2.wordpress.com/ 
> <ClBrTJtWEAQwnHT.jpg>
>    
> <ClBrR5KWkAACaFo.jpg>
> 13 retweets18 likes
> Reply     Retweet   13                             Like   18                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  15h15 hours ago
> 16) Tangentially related: "VantageUploader" is the tool DNC use to share vids. JWT arg leaks author email in base64.
> <ClB0Q2LWYAArFdA.jpg>
> 4 retweets12 likes
> Reply     Retweet   4                             Like   12                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  15h15 hours ago
> 17) Final piece of metadata: Creation date and software used to turn DOC into the Gawker PDF (note: could be journo)
> <ClB4nXdWgAIRY-K.jpg>
>    
> <ClB4nYMWgAEfvcI.jpg>
> 4 retweets8 likes
> Reply     Retweet   4                             Like   8                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  15h15 hours ago
> 18) Metadata from the various docs
> <ClB6p5XWgAQZXCn.jpg>
>    
> <ClB6p6QXEAAVA4M.jpg>
> <ClB6p7gXEAQc0P1.jpg>
> 5 retweets3 likes
> Reply     Retweet   5                             Like   3                            
> More
> 	• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  15h15 hours ago
> Pwn All The Things Retweeted Florian Wagner
> 19) @_fl01 points out "Grizli777" indicates that pirated Office (2007) was used by the hacker.
> Pwn All The Things added,
> <ClB38YpWIAAOOzt.jpg>
> Florian Wagner @_fl01
> @_fl01 @pwnallthethings Get it now ;) »Grizli777«'s cracked MS Office seems 2b popular among Russians and Romanians. 
> 		• Pwn All The Things ‏@pwnallthethings  14h14 hours ago
> 20) Extra data-point: Author on The Smoking Gun's PDF is different again. (good chance this is TSG's journo)
> <ClB-dwjWYAEmW2x.jpg>
> 4 retweets6 likes
> Reply     Retweet   4                                       Like   6                                      
> More
> 		• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  3h3 hours ago
> 21) Missed this yesterday, but the hacker contacted TSG (and probably Gawker) via a GMZ.us (anoymous) email addr
> <ClEdqi1WIAA1u9Y.jpg>
> 7 retweets3 likes
> Reply     Retweet   7                                       Like   3                                      
> More
> 		• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things ‏@pwnallthethings  2h2 hours ago
> Pwn All The Things Retweeted CrowdStrike
> 22) A weak data point, but @CrowdStrike also says Guccifer2.0 doesn't change their attribution of #DncHack to Russia
> Pwn All The Things added,
> CrowdStrike @CrowdStrike
> New hacker claims credit for DNC hack. CrowdStrike fully stands by attribution to Russian government https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/> 1 retweet4 likes
> Reply     Retweet   1                                       Like   4                                      
> More
> View conversation6 retweets12 likes
> Reply     Retweet   6                             Like   12                            
> More
> 
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave



More information about the Dailydave mailing list