[Dailydave] "When you shoot at the king, you best not miss."
Mara Tam
marasawr at gmail.com
Thu Jun 16 17:59:28 EDT 2016
Leaving aside problems with assuming that this is definitely state-sponsored, it is worth reading through the Information Security Doctrine of the Russian Federation.[1] N.B. This has been in place since 2000, and is due to be updated shortly.
This Diplomaatia piece surveys the substance of likely changes as well as the motivations driving them.[2] There have been interim update of sorts in changes to the military doctrine from 2010,[3] and from 2014.[4] But, lest one be tempted to shout ‘Ah-HA!’, the US and Russia have been working fitfully towards something like the Sino-American and Sino-Russian non-aggression pacts for ICT since 2013. If Guccifer 2.0 is a proxy acting at the direction of the Russian state, then Russia has been caught violating a core tenet of their own ICT security doctrine (i.e. interfering in the internal affairs of a foreign power), which would be very extremely not good.[5]
That said, it is worth keeping in mind that an actor contracted by the state to engage in information warfare may contract to non-state clients as well. And here we trip over the fuzzy grey lines separating ‘sponsored’, ‘sanctioned’, and ’tolerated'. Attribution is hard.
-mara
_________
[1] http://archive.mid.ru/bdomp/ns-osndoc.nsf/1e5f0de28fe77fdcc32575d900298676/2deaa9ee15ddd24bc32575d9002c442b!OpenDocument
[2] http://www.diplomaatia.ee/en/article/venemaa-foderatsiooni-soovid-it-valdkonna-reguleerimisel/
[3] https://globalvoices.org/2010/02/23/russian-military-doctrine/
[4] Mostly the same as 2010, some additional language specific to the information space in conflict. https://www.offiziere.ch/wp-content/uploads-001/2015/08/Russia-s-2014-Military-Doctrine.pdf
[5] For the purposes of this thought experiment, Georgia, Crimea, Kharkiv, Luhansk, and Donetsk are not ‘foreign’.
> On 16 Jun 2016, at 11:26, dave aitel <dave at immunityinc.com> wrote:
>
> So I want to point out some things about this really weird DNC Hack. The only example I can think of where a nation-state hacked someone and then released the documents under a cover-account is North Korea and Sony Pictures Entertainment. I can see examples of other smaller services (Iran, etc.) doing this as well. North Korea, to be fair, doesn't have a lot to lose, so acting like this can make sense and probably showed some teeth at an important time.
> But Russia is a whole different kind of service! They have important connections to the United States, and having the first thing Hillary thinks if she wins the Presidency be "Let's get back at Russia for trying to take my campaign out" seems like a cost-benefit equation that would preclude this kind of action.
>
> Are there other examples of Russian intelligence doing this sort of thing? Is this a change from the norm? Surely this isn't what Russia wants the new norm to be, right?
>
> -dave
>
> Conversation
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
> Now THIS is a really interesting development in #DncHack: @Gawker has & is publishing the DNC's Trump oppo research
>
> 97 retweets101 likes
> Re
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
> This is a big development, because it means whoever did #DncHack to get Trump oppo file was doing it (bear with me) in *support* of Trump.
> View conversation35 retweets43 likes
> Reply Retweet 35 Like 43
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
> How does this help Trump, you ask? It's a full dump. Trump gets lots of bad news today, but DNC loses ability to use contents strategically.
> View conversation34 retweets45 likes
> Reply Retweet 34 Like 45
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
> A few observations about this op
> 1) Another data point in Russian SIGINT strategically leaking stolen data to push a particular narrative.
>
> View conversation22 retweets31 likes
> Reply Retweet 22 Like 31
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
> 2) This para. V. bad for DNC if those are classification markings (but could be campaign "doc is sensitive" bluster)
> <ClBSKVuXIAAALo3.jpg>
> 16 retweets17 likes
> Reply Retweet 16 Like 17
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
> 3) Gosh, I wonder what outlet Russian intelligence is going to use to launder these stolen documents.
> <ClBSnM2WkAApNd9.jpg>
> 21 retweets24 likes
> Reply Retweet 21 Like 24
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
> 4) If you want to peruse the Trump oppo research directly, here's the PDF: https://assets.documentcloud.org/documents/2861555/1.pdf …
> View conversation28 retweets27 likes
> Reply Retweet 28 Like 27
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
> 5) Site apparently set up by the group that hacked DNC https://guccifer2.wordpress.com/
> <ClBYdsHWgAA53kN.jpg>
> 21 retweets25 likes
> Reply Retweet 21 Like 25
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
> 6) This is all of the text from the hacker's post, in case website gets taken down. Check out the broken English.
> <ClBZKsnXEAAC9y2.jpg>
>
> <ClBZLXJXEAAgOyW.jpg>
> <ClBZKLTXIAQGlIX.jpg>
> <ClBZLaXXIAA3kJ-.jpg>
> 32 retweets29 likes
> Reply Retweet 32 Like 29
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
> 7) Uh oh. This is an unfortunate document for Russia to stolen from under the noses of the DNC.
> <ClBbIr3WQAAgkGx.jpg>
> 25 retweets29 likes
> Reply Retweet 25 Like 29
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
> 8) Lol. Russian #opsec fail.
> <ClBdykWWEAALE9E.jpg>
> 65 retweets76 likes
> Reply Retweet 65 Like 76
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
> 9) Better #opsec in the "NatSec & Foreign Policy" doc. Attackers using VMs to open some (but clearly not all) docs
> <ClBfuApWAAAuD8a.jpg>
> 10 retweets12 likes
> Reply Retweet 10 Like 12
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
> 10) Files from Russian Intelligence Agencies can contain viruses. It's safer to stay in Protected View
> <ClBhGJUWMAEgFQ7.jpg>
> 11 retweets19 likes
> Reply Retweet 11 Like 19
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
> 11) Document #5 leaks via tracked changes (thx @TheCyberSecExp) but it's not very interesting, and likely not hacker
> <ClBh7IhWEAAO6dV.jpg>
> 5 retweets9 likes
> Reply Retweet 5 Like 9
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
> Pwn All The Things Retweeted Peter Johnson
> 12) To clarify: leak is the RU-lang settings, not name (cover name references "Iron Felix" https://en.wikipedia.org/wiki/Felix_Dzerzhinsky …)
> Pwn All The Things added,
> Peter Johnson @alcebaid
> @pwnallthethings Felix is really a pseudo
> View conversation5 retweets9 likes
> Reply Retweet 5 Like 9
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
> Pwn All The Things Retweeted (((davi - 德海)))
> 13) Another #opsec fail. (This happened because they did an Export as PDF, and then later saved, w/ lang set to RU)
> Pwn All The Things added,
> <ClBfs3FUsAAtuk7.jpg>
> (((davi - 德海))) @daviottenheimer
> @pwnallthethings "error! invalid hyperlinks" in Russian...
> View conversation25 retweets27 likes
> Reply Retweet 25 Like 27
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
> 14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username is founder of USSR secret police & likes laundering docs via Wikileaks.
> View conversation64 retweets62 likes
> Reply Retweet 64 Like 62
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
> 15) Spot the difference: Left: doc sent to Gawker (page 210). On right, same page in https://guccifer2.wordpress.com/
> <ClBrTJtWEAQwnHT.jpg>
>
> <ClBrR5KWkAACaFo.jpg>
> 13 retweets18 likes
> Reply Retweet 13 Like 18
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago
> 16) Tangentially related: "VantageUploader" is the tool DNC use to share vids. JWT arg leaks author email in base64.
> <ClB0Q2LWYAArFdA.jpg>
> 4 retweets12 likes
> Reply Retweet 4 Like 12
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago
> 17) Final piece of metadata: Creation date and software used to turn DOC into the Gawker PDF (note: could be journo)
> <ClB4nXdWgAIRY-K.jpg>
>
> <ClB4nYMWgAEfvcI.jpg>
> 4 retweets8 likes
> Reply Retweet 4 Like 8
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago
> 18) Metadata from the various docs
> <ClB6p5XWgAQZXCn.jpg>
>
> <ClB6p6QXEAAVA4M.jpg>
> <ClB6p7gXEAQc0P1.jpg>
> 5 retweets3 likes
> Reply Retweet 5 Like 3
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago
> Pwn All The Things Retweeted Florian Wagner
> 19) @_fl01 points out "Grizli777" indicates that pirated Office (2007) was used by the hacker.
> Pwn All The Things added,
> <ClB38YpWIAAOOzt.jpg>
> Florian Wagner @_fl01
> @_fl01 @pwnallthethings Get it now ;) »Grizli777«'s cracked MS Office seems 2b popular among Russians and Romanians.
> • Pwn All The Things @pwnallthethings 14h14 hours ago
> 20) Extra data-point: Author on The Smoking Gun's PDF is different again. (good chance this is TSG's journo)
> <ClB-dwjWYAEmW2x.jpg>
> 4 retweets6 likes
> Reply Retweet 4 Like 6
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 3h3 hours ago
> 21) Missed this yesterday, but the hacker contacted TSG (and probably Gawker) via a GMZ.us (anoymous) email addr
> <ClEdqi1WIAA1u9Y.jpg>
> 7 retweets3 likes
> Reply Retweet 7 Like 3
> More
> • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 2h2 hours ago
> Pwn All The Things Retweeted CrowdStrike
> 22) A weak data point, but @CrowdStrike also says Guccifer2.0 doesn't change their attribution of #DncHack to Russia
> Pwn All The Things added,
> CrowdStrike @CrowdStrike
> New hacker claims credit for DNC hack. CrowdStrike fully stands by attribution to Russian government https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ …
> 1 retweet4 likes
> Reply Retweet 1 Like 4
> More
> View conversation6 retweets12 likes
> Reply Retweet 6 Like 12
> More
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
More information about the Dailydave
mailing list