Hacking

Wikileaks- Julian Assange released classified information and damaging emails

LinkedIn, DropboxFormspring (Anthony Weiner’s sexting),voter registration-themed spear-phishing campaign, the DNC Hack 2016

China Has Abandoned a Cybersecurity Truce With the U.S., Report Says Bloomberg By 

2016 Presidential Campaign Hacking Fast Facts CNN

It’s become clear that Putin intends to sway elections in the Western world. The US, France and UK have been hacked and the US election was influenced by the combined efforts of hackers, American voices of the Alt-Right and the trolls from the US and abroad. Actual interference into voter rolls and machine vote tallies is being investigated…but not by the agency designed to investigate. Trump’s shutting that down…and instead suggesting a Cyber Security Taskforce with Putin himself at the G20 summit.  Many speculate that Putin’s trying to win the war without firing a bullet, so to speak… taking over one free country at a time and encouraging authoritarian, far-right regimes which restrict women’s rights and freedoms of all kinds.

Here’s exactly how Russia can hack the 2018 elections Vice News July 10, 2017

Spearfishing  —     Russia’s attempt to hack US election officials, explained Vox

Foreign governments hacking US elections is a real threat. We need to be ready. “According to the NSA, the Russian government began its hacking efforts by attempting to infiltrate an American election technology vendor that the Intercept says is a Florida-based company called VR Systems. The attackers used a “spear phishing” technique, sending personalized emails to several employees of the company to try to trick the employees into entering their passwords into a fake Google login form. Next, the attackers posed as employees of the voting technology company to attack election officials in jurisdictions that used the company’s products. Using real documentation stolen from VR Systems, the hackers created malicious Microsoft Word documents that compromise a victim’s computer when they are opened. The documentation was for EVid, software that manages the voter checkin process at a polling place. We don’t know how many of those 122 election officials clicked on the malicious link and had their computers compromised. We don’t know if Russian spies did anything malicious once they gained access. The attackers sent out malicious emails to 122 election officials around the country” —Vox News

DNC HACK Spring 2016    

February 16, 2018: Mueller Issues indictment against 13 Russian Nationals with working for the Russian Internet Research Agency to foment discord in the US. CNN  These people impersonated Americans and held rallies for and against Trump issues, resulting in the count for Identity Theft.

2016 Presidential Campaign Hacking Fast Facts CNN

Timeline:
June 14, 2016 – The Washington Post reports hackers working for the Russian government accessed the Democratic National Committee’s computer system, stealing oppositional research on Donald Trump and viewing staffers’ emails and chat exchanges. The Kremlin, however, denies that the government was linked to the hack, and a US official tells CNN that investigators have not yet concluded that the cyberattack was directed by the Russian government.

Track what the Russian Bots are doing in Real Time here! 

 

Steele Dossier

Quoting the Steele Dossier about planting malware in cheap Russian IT games: “In terms of the FSB’s recruitment of capable cyber operatives to carry out its, ideally deniable, offensive cyber operations, a Russian IT specialist with direct knowledge reported in June 2016 that this was often done using coercion and blackmail. In terms of ‘foreign’ agents, the FSB was approaching US citizens of Russian (Jewish) origin on business trips to Russia. In one case a US citizen of Russian ethnicity had been visiting Moscow to attract investors in his new information technology program.

The FSB clearly knew this and had offered to provide seed capital to this person in return for them being able to access and modify his IP, with a view to targeting priority foreign targets by planting a Trojan virus in the software. The US visitor was told this was common practice. The FSB also had implied significant operational success as a result of installing cheap Russian IT games containing their own malware unwittingly by targets on their PCs and other platforms.

In a more advanced and successful FSB operation, an IT operator inside a leading Russian SOE, who previously had been employed on conventional (defensive) IT work there, had been under instruction for the last year to conduct an offensive cyber operation against a foreign director of the company. Although the latter was apparently an infrequent visitor to Russia, the FSB now successfully had penetrated his personal IT and through this had managed to access various important institutions in the West through the back door.

6. The senior Russian government figure cited above also reported that non-state sponsored cyber crime was becoming an increasing problem inside Russia for the government and authorities there. The Central Bank of Russia claimed that in 2015 alone there had been more than 20 attempts at serious cyber embezzlement of money from corresponding accounts held there, comprising several billions Roubles. More generally, s/he understood there were circa 15 major organised crime groups in the country involved in cyber crime, all of which continued to operate largely outside state and FSB control. These included the so-called ‘Anunak’, ‘Buktrap‘ and ‘Metelorganisations.

– Further evidence of extensive conspiracy between campaign team and Kremlin, sanctioned at highest levels and involving Russian diplomatic staff based in the US

– TRUMP associate admits Kremlin behind recent appearance of DNC e-mails on WikiLeaks, as means of maintaining plausible deniability

– Agreed exchange of information established in both directions.

Team using moles within DNC and hackers in the US as well as outside in Russia. PUTIN motivated by fear and hatred of Hillary CLINTON. Russians receiving intel from team on Russian oligarchs and their families in US

Mechanism for transmitting this intelligence involves ‘pension’ disbursements to Russian emigres living in US as cover, using consular officials in New York, DC and Miami

– Suggestion from source close to TRUMP and MANAFORT that Republican campaign team happy to have Russia as media bogeyman to mask more extensive corrupt business ties to China and other emerging countries

Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election   June 5, 2017 The Intercept: “Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.”

Federal contractor Reality Leigh Winner arrested for sending classified NSA intelligence to news outlet “A 25-year-old federal contractor is facing charges she leaked a classified National Security Agency document to a news outlet in May.The charges against Reality Leigh Winner came about an hour after the publication of a story based on an NSA document detailing Russian attempts to hack American voting systems in 2016.” Washington Examiner

Trump’s Server, Revisited “Sorting through the new evidence, and competing theories, about the Trump server that appeared to be communicating with a Russian bank. By   Slate  November 2, 2016  “In a detailed post critiquing my piece, cybersecurity expert Rob Graham wrote, “The evidence available on the Internet is that Trump neither (directly) controls the domain trump-email.com, nor has access to the server.” This echoes the point raised by Vox, the Intercept, and others that the server was not operated by the Trump Organization directly. Rather, it was run and managed by Cendyn, a vendor that organizes email marketing campaigns for hotels and resorts…I entered the internet protocal address for mail1.trump-email.com to check if it ever showed up in Spamhaus and DNSBL.info. There were no traces of the IP address ever delivering spam…There’s a much smaller spike during the Democratic convention and no apparent increase before or during the Republican convention,” he noted. “In short, this chart seems to be totally unrelated to the political calendar.” He wonders why the largest spike occurs in August, after the party conventions. This happened to be a moment of potential interest in Russia, since those weeks were the denouement of the Paul Manafort era in the Trump campaign, with the exposure of logs showing he received $12.7 million in off-the-book payments from the Putin-backed Party of Regions. But Lee’s fundamental response is understandable: The chart shows possible correlations, not proven causation. There were reports that the Trump campaign had ordered the Republican Party to rewrite its platform position on Ukraine, maneuvering the GOP toward a policy preferred by Russia, though the Trump campaign denied having a hand in the change. Then Trump announced in an interview with the New York Times his unwillingness to spring to the defense of NATO allies in the face of a Russian invasion. Trump even invited Russian hackers to go hunting for Clinton’s emails, then passed the comment off as a joke. (I wrote about Trump’s relationship with Russia in early July.) After Tea Leaves posted his analysis on Reddit, a security blogger who goes by Krypt3ia expressed initial doubts—but his analysis was tarnished by several incorrect assumptions, and as he examined the matter, his skepticism of Tea Leaves softened somewhat. I asked nine computer scientists—some who agreed to speak on the record, some who asked for anonymity—if the DNS logs that Tea Leaves and his collaborators discovered could be forged or manipulated. They considered it nearly impossible.

* * *

Tea Leaves and his colleagues plotted the data from the logs on a timeline. What it illustrated was suggestive: The conversation between the Trump and Alfa servers appeared to follow the contours of political happenings in the United States. “At election-related moments, the traffic peaked,” according to Camp. There were considerably more DNS lookups, for instance, during the two conventions.

pol_161031_screenshotlarge
Start: DNS lookup history start date.RFC from Alfa-Bank:Alfa-Bank rep provided with 2 ips, hostname, count.Errors:4:11 a.m. UTC: DNS lookup errors Trump-Email.com.Errors:1:12 a.m. UTC: DNS lookup errors Trump-Email.com.Taken down:9:53 a.m. EST USA time: Trump-Email.com deleted from Trump authoritative name server zone.

In September, the scientists tried to get the public to pay attention to their data. One of them posted a link to the logs in a Reddit thread. Around the same time, the New York Times’ Eric Lichtblau and Steven Lee Myers began chasing the story.* (They are still pursuing it.) Lichtblau met with a Washington representative of Alfa Bank on Sept. 21, and the bank denied having any connection to Trump. (Lichtblau told me that Times policy prevents him from commenting on his reporting.)  Slate

The spike in August was at the same time the Mercer camp and their SuperPac money publicly joined Trump, with Kellyanne Conway replacing Paul Manafort as Campaign Director and Steve Bannon getting more heavily involved in the Campaign.

4/3/17 Keith Olberman on Trump’s panic over the Russian election hack, which may be about Cambridge Analytica getting the official voter information rolls from about 20 States. Cambridge Analytica has been run by Steve Bannon and owned by Trump’s savior donors, Robert and Rebekah Mercer. Mikhael Kalugin identified as the Steele Dossier Russian spy under surveillance at the US Embassy, and the key player in the election scheme, suddenly pulled back to Moscow.

Trump gave a speech in New York City on June 22, which was written to be delivered on June 9, the same day as the Campaign was anticipating receiving Kompromat, or a Blackmail File, on Clinton’s campaign. The press conference was delayed until the 22nd because of the Pulse nightclub shooting in Orlando. The same day as this speech was delivered, the Trump Tower – Alfa Bank Pings began. Full Transcript and Video on Politico.  “Because it’s not just the political system that’s rigged. It’s the whole economy. It’s rigged by big donors who want to keep down wages. It’s rigged by big businesses who want to leave our country, fire our workers, and sell their products back into the U.S. with absolutely no consequences for them. It’s rigged by bureaucrats who are trapping kids in failing schools. It’s rigged against you, the American people. Hillary Clinton has perfected the politics of personal profit and theft. She ran the State Department like her own personal hedge fund – doing favors for oppressive regimes, and many others, in exchange for cash. Then there are the 33,000 emails she deleted. While we may not know what is in those deleted emails, our enemies probably do. So they probably now have a blackmail file over someone who wants to be President of the United States. This fact alone disqualifies her from the Presidency. We can’t hand over our government to someone whose deepest, darkest secrets may be in the hands of our enemies.”

June 22, 2016: “10 days after Trump’s Reddit gets a big spike in members, less than 2 weeks post-Jr.’s meeting, Trump Tower -Alfa Bank pings begin. Seth Abramson 

Link to Dr. Jean Camp’s Graph

June 12, 2016 “72 hours after Don Jr met with a Russian agent at Trump Tower, the top Trump fan-site had its largest-ever membership spike by FAR.” Seth Abramson

Alleged hacker held in Prague at center of ‘intense’ US-Russia tug of war  The Guardian

Yevgeniy Nikulin faces extradition requests from both countries amid lingering disquiet over Moscow’s alleged interference in the US presidential election

Yevgeniy Nikulin was charged with offences relating to the hacking of computer networks belonging to LinkedIn, Dropbox and Formspring.
 Yevgeniy Nikulin was charged with offences relating to the hacking of computer networks belonging to LinkedIn, Dropbox and Formspring. Photograph: YouTube    

“An alleged computer hacker being held in the Czech Republic is at the centre of an international legal tussle between the United States and Russia amid lingering disquiet over Moscow’s alleged interference in the recent US presidential election.

Yevgeniy Nikulin, 29, faces extradition requests from both countries after being detained by Czech police on an Interpol arrest warrant issued by US authorities.

Nikulin, a Russian citizen, was arrested in a restaurant in Prague on 5 October shortly after arriving in the city during a holiday with his girlfriend.

He faces a maximum 30 years in prison and up to $1m in fines if convicted on charges including computer intrusion, aggravated identity theft, conspiracy, damaging computers and trafficking in illegal access devices.

There is no acknowledged link between Nikulin’s alleged offences and the hacking of Hillary Clinton’s presidential campaign, but his arrest came just three days before the Obama administration formally accused Russia of stealing emails from the Democratic National Committee and disclosing them through WikiLeaks.

Formspring, one of the sites he allegedly hacked, was the platform used for sexting by Anthony Weiner, the former New York mayoral candidate and husband of Huma Abedin, Clinton’s closest aide. The discovery of emails linked to Clinton on Weiner’s laptop damaged her campaign in its final two weeks after the FBI director, James Comey, revealed their existence.

Meanwhile, Russia has responded to the American extradition request against Nikulin by tabling one of its own, demanding that he be returned to face allegations dating back to 2009 that he hacked another person’s bank account and stole 111,000 roubles (£1,465).

“He was never formally accused at that time. I think the reason is that he was recruited [by the Russian security services],” said Ondrej Kundra, political editor with the Czech weekly magazine Respekt, which has reported that the Russian services offer alleged offenders immunity from prosecution in exchange for collaboration.

One theory is Nikulin – even if not personally involved in the election hacking – may know other hackers who were.
 One theory is Nikulin – even if not personally involved in the election hacking – may know other hackers who were. Photograph: Police of the Czech Republic

“There’s intense lobbying in this case. People from the US and Russian side are talking to the Czech authorities because both really want Nikulin in their countries.”

Fuelling speculation is the existence of sealed US court documents, tabled six days after the original indictment against Nikulin on 20 October but whose contents have not been revealed.

“A number of documents were filed under seal, which means you cannot talk about them,” a US justice department spokesman told the Guardian.

Adam Kopecky, Nikulin’s Czech lawyer, said his client denied both the US and Russian charges and suggested he had become a political pawn. “My client and myself think it’s a political affair,” Kopecky said.

“Given the international situation, when one superpower accuses a citizen of the other of hacking their computers and then the other superpower accuses the same citizen of another crime, it’s kind of strange.”

Nikulin has suffered health problems since his arrest, his lawyer said.

Kopecky lodged an official complaint after prison authorities put his client under high-level supervision that included monitoring his communications with the lawyer.

“He is unhappy about being detained for a long time in a foreign country and about the accusations against him. He wants to return to Russia – but as a free man,” Kopecky said.

The case is currently in the hands of Prague’s chief prosecutor, who is expected to issue a decision on the twin extradition requests at the end of this month or early in February, a spokeswoman for the city’s municipal court said.

Russia’s embassy in Prague declined to comment but cited a previous foreign ministry statement in which a spokeswoman compared the affair to other incidents and called it “another proof that the US law enforcement agencies are hunting for Russian citizens across the world”.

A 32-year-old Russian computer programmer named only as Lisov was arrested by Spanish police at Barcelona airport this month on another US arrest warrant. Police in Spain said he was suspected of leading a financial fraud network and having designed and used software to steal account details from banks and individuals.

Another Russian citizen, Roman Valerevich Seleznev, was convicted last year of 38 hacking-related charges by a US court after he was arrested and extradited from Guam in 2014. Russia said Seleznev’s arrest amounted to “kidnapping”.” The Guardian

Young Russian denies she aided election hackers: ‘I never work with douchebags’ The Guardian 

“White House claims Alisa Shevchenko was involved in hacking the US election but in an interview she says authorities misinterpreted facts or were fooled

 Alisa Shevchenko: ‘I am now de facto blocked from the world’s major information security market.’ Photograph: Alisa Shevchenko

Her company was a surprise inclusion on the US sanctions list released last week, alongside top officers in Russia’s GRU military intelligence agency and two well-known criminal hackers. The company “provided the GRU with technical research and development”, according to the fact sheet released by the White House. No further details were given.

In addition to the sanctions, the US expelled 35 Russian diplomats from the country, and said it would take further, non-public measures in response.

After a week in which Russian interference in the election – apparently with the goal of helping Donald Trump to victory – has dominated the news agenda, Shevchenko has spoken out to decry the sanctions against her.

Shevchenko told the Guardian she was furious at her company’s inclusion on the list, and denied ever having knowingly worked for the Russian government. She communicated via encrypted email, from a location she said was “a wild countryside area a few hours away from Bangkok”.

In answers that were defiant, and occasionally abrasive, she decried the “insane level of hysteria around the entire ‘Russian hacking’ story”.

She suggested that the US authorities were guilty either of “a technically incompetent misinterpretation of the facts” or had been fooled by a “counterfeit in order to frame my company”. Those who could have had an interest in framing her could include competitors, US intelligence or Russian intelligence, with the goal of screening the real culprits, Shevchenko said.

“A young female hacker and her helpless company seems like a perfect pick for that goal. I don’t try to hide, I travel a lot, and am a friendly communicative person. And most importantly, I don’t have any big money, power or connections behind me to shrug off the blame. So really, it could be anyone.”

US intelligence believes the Democratic party’s servers were hacked by a group known alternatively as Fancy Bear, APT 29 or Sofacy, which they say was working for the GRU, Russia’s military intelligence. In the private sector, attribution directly to the GRU comes most clearly from US firm CrowdStrike, which is influential in US security circles. The US government believes the hacked emails were then leaked – possibly through an intermediary – to Julian Assange and WikiLeaks.

Russian authorities are known to offer a mixture of carrot and stick to engage prominent hackers in work for the state, and third-party contracting of state information security tasks is common in most countries. A number of Russian security experts declined to comment, citing the sensitivity of the subject.

“Pretty much everyone in the community has done some work for their government at some point,” said Dave Aitel, who runs Immunity, a US software security company. He described Shevchenko as “extremely well known in the information security community”.

Shevchenko described herself as “a typical introverted computer geek” who is largely self taught. She declined to say how old she was, deeming it an “impolite question”, saying instead: “If you really need a number then go ahead and make it up based on my photographs”.

Alisa Shevchenko.
 Shevchenko: ‘a typical introverted computer geek’. Photograph: Alisa Shevchenko

She said she dropped out of three different universities, as she was passionate about learning but did not enjoy the structure of a university course. Around 2004, she joined Kaspersky Lab, a high-profile Russian cybersecurity firm.

She left to set up her own company, initially called Esage Lab (“I was thinking of something ‘sage’, as in a wizard or a magician,” she said). Later, she changed its name to ZOR. Both names are on the US sanctions list.

Shevchenko specialises in finding so-called “zero-days”, previously undisclosed software bugs that could leave companies vulnerable. “We have not only searched for bugs but exploited them, but only with the customer’s sanction,” she said. She said she never hired anyone she knew to have a criminal background for her companies.

Shevchenko said she had been approached repeatedly by people she believed to be from the Russian government. She insisted, however, that she had always rejected the advances. She said she had not been threatened or intimidated as a result.

A 2014 profile of Shevchenko in Russian Forbes magazine noted that she worked with DialogNauka, a Russian company that listed among its clients the Russian ministry of defence and parts of the security services. Questioned by the Guardian, she insisted that none of her own work for DialogNauka “was even remotely possible to use as a nation-state attacks supply”.

Shevchenko said she had turned down plenty of offers of work on ideological grounds: “I never work with douchebags. I only work with honest and open people that I feel good about.” Asked directly if she had ever worked on a government contract in any capacity, she answered “not that I know of”.

Shevchenko said ZOR was closed more than a year ago, because it was difficult and expensive to do the requisite public relations work required to drum up business. She now works as a “one-man army”, she said.

Many analysts have said it seems very likely that Russian state actors are behind Fancy Bear, but concede that the publicly released evidence does not include a smoking gun.

Brian Bartholomew, of Kaspersky Lab’s US office in Massachusetts, said the biggest clue was an in-house piece of software called XAgent, which he had never seen elsewhere.

“Assange said it could have been a 14-year-old hacker – if you look at the collective operations of this group, there’s no way a 14-year-old has this much money, time and effort to conduct all of these operations together,” he said.

Of the entities on the sanctions list, including Shevchenko’s company, Bartholomew said: “There’s probably a good reason that those names were put in the document.”

Aitel said he had no doubt Russian intelligence was behind the hack and said authorities would certainly use third-party contractors for operations, but he added that it was problematic to sanction individuals without releasing evidence. “No matter what she did technically, she’s not a policy maker. It doesn’t make much sense to sanction individuals on the basis that ‘we know something secret so we’re going to sanction you’.”

Only Shevchenko’s company – rather than Shevchenko personally – is on the US treasury’s list of specially designated nationals (SDNs), which are subject to an asset freeze in any dealings with US persons or the US financial system.

“If she starts a new company, then that company is clean, but a lot of people might not want to do business with her if they do their due diligence and find that she’s one step removed from an SDN,” said Louis Rothberg, an expert in export control with the international law firm Morgan Lewis & Bockius.

Shevchenko said she assumes it is “not possible” for her to travel to the US now, and she does not particularly want to.

“I am now de facto blocked from the world’s major information security market,” Shevchenko said.

On the other hand, she allowed, there was apparently a certain cachet in being named as someone who hacked a US election. “I have received a number of employment, business partnership or collaboration offers” in the days since the sanctions list was released, she said. ” The Guardian

Cozy Bear and Fancy Bear: did Russians hack Democratic party and if so, why? The Guardian  July 29, 2016 

 and Analysts and the US government suspect an official hand behind the breach of the DNC’s emails – but if so it would represent a major escalation of cyber-activity A link between the DNC hack has not been proved or officially alleged, but, one analyst observed, ‘if everything else looks completely implausible, what’s left is probably what’s happening’. Photograph: Alamy
 In April of last year, at 10pm on a Wednesday, French network TV5Monde suddenly began to broadcast Islamic State logos and slogans in French, Arabic and English. Simultaneously the broadcaster’s Facebook page began to post inflammatory messages. “Soldiers of France, stay away from the Islamic State!” read one. “You have the chance to save your families, take advantage of it.”

Je suIS IS,” read another. But the second message was a lie.

According to security researchers, the culprit was a Russian hacking team long believed by cybersecurity analysts in and outside the US government to be working for the country’s largest intelligence agency, GRU. Fascinated researchers have given it a variety of names: APT 28, Strontium, the Sofacy Group, and Fancy Bear.

Last week, WikiLeaks distributed 20,000 emails from the Democratic National Committee (DNC) obtained after Fancy Bear and another hacking team believed to be tied to a competing Russian intelligence service, known as Cozy Bear, breached the DNC’s internal network. Cozy Bear is believed to have entered the network a year before and waited quietly, gathering information and cataloging emails. Fancy Bear came later. WikiLeaks’ consistent position is not to discuss its source and to push back against suggestions that it gained the data from either Bear.

The Bears have three important things in common: expensive digital tools, suggesting state sponsorship; an interest in pursuing sensitive, embarrassing or strategically significant information, rather than financially beneficial data; and a choice of targets that align with Russian political objectives. Both Bears infiltrated the DNC: Cozy beginning in summer 2015, Fancy in April this year.

Senior US government sources are not primarily concerned with WikiLeaks’ role in the affair. Their alarm, shared by cybersecurity researchers, is that a Russian hacking operation they consider tied to the Russian government has taken a step toward attacking an element of the US political apparatus.

“Targeting a political campaign, trying to find out everything you can about the next leader of the free world, is fair game for intelligence services, as much as we hate it. That’s a valid intelligence target,” said Toni Gidwani, a former Defense Intelligence Agency (DIA) analyst who is now chief researcher for the cybersecurity firm ThreatConnect.

“Dumping this much information and [leaving] very much the sense that there’s more to come, we have to ask different questions about what the Russian objectives are and what they think is going to happen.”

Neither the DIA nor the FBI, which has an investigation open into the DNC hack, would address whether it assesses Fancy Bear to be an instrument of the Russian intelligence apparatus. Some administration officials are unsure whether the US would make a public accusation against the Russians. But, one said, the administration is coming to the conclusion that Moscow is responsible for the hack, despite foreign minister Sergey Lavrov’s protestations.

The blurred distinction between espionage and attack online has outpaced thinking about deterrence and reprisal, meaning both an intrusion and an accusation carries the risk of escalating beyond tolerable levels. One senior official notes that the executive branch tends to be “highly circumspect” about pointing a finger at Russia.

That escalation risk is heightened because of the mystery surrounding the DNC hack. If it is the Russians, the change represented by making stolen data public raises questions on questions: did something go wrong? Or did Russia mean to push the envelope with its principal geopolitical rival? Or could cybersecurity analysts be wrong, and the ties between the Bears and Russian government objectives be less substantial than they believe?

“The implications of those assessments have some pretty stark recommendations for our leadership, so it is only appropriate to go back and double-check,” said Gidwani. “But by the same token, if everything else looks completely implausible, what’s left is probably what’s happening.”

Patterns of infiltration

Cozy Bear has a sense of humor.

According to Kaspersky, one of its most effective methods of intrusion involved hiding a virus inside a email message that played a Career Builder ad from Super Bowl XL. The ad showed a human office worker trying to tell his colleagues, who are all chimpanzees, to stop wrecking the office.

“These videos are quickly passed around offices with delight while systems are infected in the background silently,” wrote despondent Kaspersky researchers.

A key characteristic of Bear attacks – and high-quality attacks from many seasoned intruders – appears to be its adroit disguise of malicious files. In another operation, a group Kaspersky believes to be Cozy Bear sent “highly relevant and well-crafted content” – such as PDFs about Ukraine possibly joining Nato – to people who would open them and find them interesting without becoming suspicious. Sophisticated users who would spot a “YovTube.com” address or an amateurish website inviting them to type in a login might eagerly open an official-seeming white paper.

Fancy Bear has its own signatures: its identifiable suite of tools has, since 2007 or perhaps even 2004, been updated with the frequency of a software company, according to security firm FireEye. FireEye gave all the tools names – Sourface, Chopstick and Eviltoss, among others – and described them as demonstrating “formal coding practices indicative of methodical, diligent programmers”.

Rather than send its malware broadly, a pattern used by hackers who hope a fraction of their recipients will click on a dubious link, Fancy Bear sends them to specific users, in a pattern Gidwani said indicates reconnaissance on its targets. Microsoft reported that Fancy Bear finds unsuspecting users both by sifting through social media and other online data for associations with its target – say, a LinkedIn page that lists the DNC as an employer – and also by meticulously cataloging the data it has stolen in previous hacks.

“They customize their attack to thrive in that environment,” said Gidwani. “Somebody who could do that has resources, has time and a test environment to try all the stuff out to make sure they’ve got the right package they’re going to deploy. Those are hallmarks of nation-state operations. Criminals are going to hit a million people in the hope that they get a hundred.”

Fancy Bear also favors infected files, in which it usually hides Sourface, the program that creeps on to a target computer and downloads malware allowing that computer to be controlled remotely. A list of “lure” emails compiled by FireEye includes a file named “military cooperation.doc”, a Georgian-language IT document for the ministry of internal affairs, and an offer of work to a journalist from the editor of a fictitious division at Reason magazine.

Cooper Quintin, a security researcher for digital rights activists the Electronic Frontier Foundation, said that when his organization was spoofed by Fancy Bear last year, it was part of an attack on a different target. “Some friends at Google” tipped him off that someone was squatting on electronicfrontierfoundation.org, a domain the company didn’t own then, though now it links to Quintin’s post on the event.

Quintin notes that Fancy Bear benefits greatly from general ignorance about digital security: high-quality spearphishing works often, and zero-days are pricey. “Why run [a zero-day] when people still open email attachments?” Quintin asked. “It’s usually associated with criminals but it works for nation-states, too.”

Attribution is tricky, Quintin said – often, patterns only become clear after a team has been completely exposed. But there are ways to make educated guesses.

Even if a user doesn’t fall for the login page trap, Fancy Bear can glean information from the click: the user’s IP address and location, his or her browser type and version, and the target computer’s operating system.

Metadata associated with the malicious code used by Fancy Bear suggests a point of origin. Its language settings are Russian, and the malware FireEye found was overwhelmingly built during the workday in Moscow and St Petersburg.

Information worth more than money

Once either group acquires the credentials it needs for its current operation, it uses flaws in popular software to secretly send data back to its own networks without its targets’ knowledge. These flaws, known as zero-day exploits, are critical tools of any hacking organization, from thieves to spy agencies – by definition, they’re difficult for administrators to defend against. The NSA is fond of them.

Zero-day exploits are not for novice hackers. They are difficult to design and keep stable. Purchasing them on the black market is very expensive. Misused, they can collapse forever when an exploited company notices them and fixes the weakness in its software.

Used effectively, zero-day exploits can be used to steal huge amounts of money. That objective has been a hallmark of other sophisticated state-sponsored hackers. China’s famous Unit 61398 tends to steal intellectual property and information beneficial to economic activity.

But Fancy Bear and Cozy Bear don’t do that.

FireEye notes that Fancy Bear wants to exfiltrate sensitive data by camping out on a network undetected for long periods of time – a network controlled or associated with a political, military, diplomatic, activist or journalistic entity. The team acquires “intelligence that would only be useful to a government”, the firm said. The targets chosen by the Bears suggest the government who would primarily find that intelligence useful is Russia.

Famously, when the Russian military attacked Georgia in 2008, its ground assault was presaged by overloading the servers used by the president, the foreign ministry and the parliament. “Georgia in a lot of ways was one of the real opening shots in how we see Russia using cyber as an instrument of national power, fully integrated with their national objectives,” Gidwani said.

Other targets show Bear attacks moving westward – much as Russia’s intervention in Syria, its first beyond its historical frontiers in a generation, followed years of unanswered military boldness against its neighbors.

Also in 2013, Kaspersky noticed a group it called MiniDuke – now believed to be Cozy Bear, as well – sneaking into targets in Hungary, Luxembourg and Belgium. Other targets include prime Russian multilateral adversaries like Nato and the Office of Security Cooperation in Europe. And in July 2015, an infiltration into an email system used by the US military’s joint chiefs of staff led military officials to suspect Russian culpability; CrowdStrike points a finger at Cozy Bear. Around the same time, Cozy Bear made its way into the DNC’s network.

Doubt as an objective

While the FBI investigates the DNC hack, politics has taken the place of digital forensics.

Democrats have already begun to seize upon the hack to imply, as yet without evidence, that the Russians executed the attack to benefit GOP nominee Donald Trump, who has openly praised the Russian president, Vladimir Putin, something that sets him apart from any other major Republican figure in recent memory.

Cozy Bear infiltrated the DNC months before Trump surprised the political world by winning the nomination; nevertheless, the senior Democrats on the congressional intelligence committees on Wednesday called for an extraordinary declassification of intelligence assessments about the hack. The White House said it would “carefully review” the request, but the National Security Council spokesman, Ned Price, said that the just-launched FBI inquiry into the hack “will necessarily limit what we will be able to say”.

A major question at issue in the inquiry is whether the Russians, should they be culpable, intended the DNC infiltration and subsequent publication to influence the outcome of the 2016 election. ThreatConnect’s Gidwani suspects that Russia may not have had so sophisticated a plan.

“Part of me feels like that might be a more aggressive reading of what’s happening. If their objective is primarily to be a distraction, to sow confusion, to sow doubt, that doesn’t require the creation of this airtight persona,” she said, referencing the hacker persona Guccifer2.0, who claims to have passed the documents to WikiLeaks and whose authenticity has come under serious doubt.

Gidwani continued: “It allows you a lot more wiggle room and ability to fudge around the edges to create that type of effect. It’s an incredibly important question, whether Russia is trying to push the outcome of the election one way or the other. But I think we may not be sufficiently considering that that might not be the primary outcome they’re seeking.

“And that shouldn’t necessarily be cause for relief. Trying to sow this much doubt and discord is also very troubling. These types of actions, what we’ve seen thus far, they had been limited to eastern Europe, Georgia, Ukraine in the 2014 election. Moscow no longer sees the same line, if you will, between that near-abroad and the US.” The Guardian

 

Hospitals Gain Control After Ransom Hack, More Attacks May Come   

Bloomberg    

“Ransom Hackers Who Hit Hospitals Dealt Setback; May Return,” by Bloomberg’s Jordan Robertson: “The cyber-attack that spread rapidly around the globe was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to return as many computers remain at risk. Hackers can still gain easy access to personal computers that lack a security update issued in March by Microsoft Corp. to fix the vulnerability in its Windows operating system. … More than 75,000 computers in 99 countries were compromised in Friday’s attack, with a heavy concentration of infections in Russia and Ukraine.”

July 7, 2017: Russia Steps Up Spying Efforts After Election  Former DNI James Clapper: I think Russia’s goal here is to “prep the battlefield” for the 2018 election CNN 

Russia has actual spy college, wherein people get trained in a variety of legitimate careers and then placed in strategic companies and organizations for espionage. They acually employ hackers, as the investigations have shown.

THE DNC EMAIL HACK

Hacked from March 2015-June 2016

THE PODESTA EMAILS

Hacked in March 2016 and released October 2016