Dailydave mailing list archives
Re: "When you shoot at the king, you best not miss."
From: "spacerog () spacerogue net" <spacerog () spacerogue net>
Date: Thu, 16 Jun 2016 12:08:56 -0400
Is there any public evidence to support the claim that Guccifer 2.0 is a Russian disinformation campaign? Crowdstrike is claiming they have additional info they haven't released but in my book that is just as good as a New York Times anonymous source.
The complexity of pulling off such a campaign and not getting caught doing it would suggest they have the skills to not let their hacking get caught in the first place. In my opinion, as you pointed out, the risk of trying such a disinformation campaign and getting caught doing it far outweigh any potential political gains.
Of course if you take into account the recent Russian claims that US hacking attacks don't get the same coverage in the media as Russian attacks, who are (currently) being blamed for almost everything, then this may play well into that narrative.
Who knows. - SR dave aitel wrote:
So I want to point out some things about this really weird DNC Hack. The
only example I can think of where a nation-state hacked someone and then
released the documents under a cover-account is North Korea and Sony
Pictures Entertainment. I can see examples of other smaller services
(Iran, etc.) doing this as well. North Korea, to be fair, doesn't have a
lot to lose, so acting like this can make sense and probably showed some
teeth at an important time.
But Russia is a whole different kind of service! They have important
connections to the United States, and having the first thing Hillary
thinks if she wins the Presidency be "Let's get back at Russia for
trying to take my campaign out" seems like a cost-benefit equation that
would preclude this kind of action.
Are there other examples of Russian intelligence doing this sort of
thing? Is this a change from the norm? Surely this isn't what Russia
wants the new norm to be, right?
-dave
Conversation <https://twitter.com/thegrugq/timelines/743231527639621632>
1.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>18h18
hours ago
<https://twitter.com/pwnallthethings/status/743179750064037888>
Now THIS is a really interesting development in #*DncHack*
<https://twitter.com/hashtag/DncHack?src=hash>: @*Gawker*
<https://twitter.com/Gawker> has & is publishing the DNC's Trump
oppo research
97 retweets101 likes
Re
More
2.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>18h18
hours ago
<https://twitter.com/pwnallthethings/status/743180111038472192>
This is a big development, because it means whoever did #*DncHack*
<https://twitter.com/hashtag/DncHack?src=hash> to get Trump oppo
file was doing it (bear with me) in *support* of Trump.
*View conversation*
<https://twitter.com/pwnallthethings/status/743180111038472192>
35 retweets43 likes
Reply
Retweet
35
Like
43
More
3.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>18h18
hours ago
<https://twitter.com/pwnallthethings/status/743180624731717636>
How does this help Trump, you ask? It's a full dump. Trump gets lots
of bad news today, but DNC loses ability to use contents strategically.
*View conversation*
<https://twitter.com/pwnallthethings/status/743180624731717636>
34 retweets45 likes
Reply
Retweet
34
Like
45
More
4.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>18h18
hours ago
<https://twitter.com/pwnallthethings/status/743183682530324480>
A few observations about this op 1) Another data point in Russian
SIGINT strategically leaking stolen data to push a particular narrative.
*View conversation*
<https://twitter.com/pwnallthethings/status/743183682530324480>
22 retweets31 likes
Reply
Retweet
22
Like
31
More
5.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>18h18
hours ago
<https://twitter.com/pwnallthethings/status/743184280008916992>
2) This para. V. bad for DNC if those are classification markings
(but could be campaign "doc is sensitive" bluster)
16 retweets17 likes
Reply
Retweet
16
Like
17
More
6.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>18h18
hours ago
<https://twitter.com/pwnallthethings/status/743184776547340288>
3) Gosh, I wonder what outlet Russian intelligence is going to use
to launder these stolen documents.
21 retweets24 likes
Reply
Retweet
21
Like
24
More
7.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>18h18
hours ago
<https://twitter.com/pwnallthethings/status/743184953546924033>
4) If you want to peruse the Trump oppo research directly, here's
the PDF: https://assets.documentcloud.org/documents/2861555/1.pdf…
<https://t.co/D6qUsqIoDN>
*View conversation*
<https://twitter.com/pwnallthethings/status/743184953546924033>
28 retweets27 likes
Reply
Retweet
28
Like
27
More
8.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>17h17
hours ago
<https://twitter.com/pwnallthethings/status/743191210718797824>
5) Site apparently set up by the group that hacked DNC
https://guccifer2.wordpress.com/<https://t.co/AqXxuUwzS0>
21 retweets25 likes
Reply
Retweet
21
Like
25
More
9.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>17h17
hours ago
<https://twitter.com/pwnallthethings/status/743191996437770241>
6) This is all of the text from the hacker's post, in case website
gets taken down. Check out the broken English.
32 retweets29 likes
Reply
Retweet
32
Like
29
More
10.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>17h17
hours ago
<https://twitter.com/pwnallthethings/status/743194146752565248>
7) Uh oh. This is an unfortunate document for Russia to stolen from
under the noses of the DNC.
25 retweets29 likes
Reply
Retweet
25
Like
29
More
11.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>17h17
hours ago
<https://twitter.com/pwnallthethings/status/743197064843104257>
8) Lol. Russian #*opsec*
<https://twitter.com/hashtag/opsec?src=hash> fail.
65 retweets76 likes
Reply
Retweet
65
Like
76
More
12.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>17h17
hours ago
<https://twitter.com/pwnallthethings/status/743199185596465152>
9) Better #*opsec* <https://twitter.com/hashtag/opsec?src=hash> in
the "NatSec & Foreign Policy" doc. Attackers using VMs to open some
(but clearly not all) docs
10 retweets12 likes
Reply
Retweet
10
Like
12
More
13.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>17h17
hours ago
<https://twitter.com/pwnallthethings/status/743200699975086083>
10) Files from Russian Intelligence Agencies can contain viruses.
It's safer to stay in Protected View
11 retweets19 likes
Reply
Retweet
11
Like
19
More
14.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>16h16
hours ago
<https://twitter.com/pwnallthethings/status/743201610235514880>
11) Document #5 leaks via tracked changes (thx @*TheCyberSecExp*
<https://twitter.com/TheCyberSecExp>) but it's not very interesting,
and likely not hacker
5 retweets9 likes
Reply
Retweet
5
Like
9
More
15.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>16h16
hours ago
<https://twitter.com/pwnallthethings/status/743203462683496448>
Pwn All The Things Retweeted Peter Johnson
12) To clarify: leak is the RU-lang settings, not name (cover name
references "Iron Felix"
https://en.wikipedia.org/wiki/Felix_Dzerzhinsky…
<https://t.co/E14IjtJv9b>)
Pwn All The Things added,
*Peter Johnson*@alcebaid
@*pwnallthethings* Felix is really a pseudo
*View conversation*
<https://twitter.com/pwnallthethings/status/743203462683496448>
5 retweets9 likes
Reply
Retweet
5
Like
9
More
16.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>16h16
hours ago
<https://twitter.com/pwnallthethings/status/743208737469509632>
Pwn All The Things Retweeted (((davi - 德海)))
13) Another #*opsec* <https://twitter.com/hashtag/opsec?src=hash>
fail. (This happened because they did an Export as PDF, and then
later saved, w/ lang set to RU)
Pwn All The Things added,
*(((davi - 德海)))*@daviottenheimer
@*pwnallthethings* "error! invalid hyperlinks" in Russian...
*View conversation*
<https://twitter.com/pwnallthethings/status/743208737469509632>
25 retweets27 likes
Reply
Retweet
25
Like
27
More
17.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>16h16
hours ago
<https://twitter.com/pwnallthethings/status/743209989217587200>
14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username
is founder of USSR secret police & likes laundering docs via Wikileaks.
*View conversation*
<https://twitter.com/pwnallthethings/status/743209989217587200>
64 retweets62 likes
Reply
Retweet
64
Like
62
More
18.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>16h16
hours ago
<https://twitter.com/pwnallthethings/status/743211918995951616>
15) Spot the difference: Left: doc sent to Gawker (page 210). On
right, same page in
https://guccifer2.wordpress.com/<https://t.co/AqXxuUwzS0>
13 retweets18 likes
Reply
Retweet
13
Like
18
More
19.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>15h15
hours ago
<https://twitter.com/pwnallthethings/status/743221774725300224>
16) Tangentially related: "VantageUploader" is the tool DNC use to
share vids. JWT arg leaks author email in base64.
4 retweets12 likes
Reply
Retweet
4
Like
12
More
20.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>15h15
hours ago
<https://twitter.com/pwnallthethings/status/743226558412918788>
17) Final piece of metadata: Creation date and software used to turn
DOC into the Gawker PDF (note: could be journo)
4 retweets8 likes
Reply
Retweet
4
Like
8
More
21.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>15h15
hours ago
<https://twitter.com/pwnallthethings/status/743228802646573060>
18) Metadata from the various docs
5 retweets3 likes
Reply
Retweet
5
Like
3
More
22.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>15h15
hours ago
<https://twitter.com/pwnallthethings/status/743230570440826886>
Pwn All The Things Retweeted Florian Wagner
19) @*_fl01* <https://twitter.com/_fl01> points out "Grizli777"
indicates that pirated Office (2007) was used by the hacker.
Pwn All The Things added,
*Florian Wagner*@_fl01
@*_fl01* @*pwnallthethings* Get it now ;) »Grizli777«'s cracked MS
Office seems 2b popular among Russians and Romanians.
1.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>14h14
hours ago
<https://twitter.com/pwnallthethings/status/743232989602156546>
20) Extra data-point: Author on The Smoking Gun's PDF is
different again. (good chance this is TSG's journo)
4 retweets6 likes
Reply
Retweet
4
Like
6
More
2.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>3h3
hours ago
<https://twitter.com/pwnallthethings/status/743408033691279361>
21) Missed this yesterday, but the hacker contacted TSG (and
probably Gawker) via a GMZ.us (anoymous) email addr
7 retweets3 likes
Reply
Retweet
7
Like
3
More
3.
*Pwn All The
Things*@*pwnallthethings*<https://twitter.com/pwnallthethings>2h2
hours ago
<https://twitter.com/pwnallthethings/status/743416709281898496>
Pwn All The Things Retweeted CrowdStrike
22) A weak data point, but @*CrowdStrike*
<https://twitter.com/CrowdStrike> also says Guccifer2.0 doesn't
change their attribution of #*DncHack*
<https://twitter.com/hashtag/DncHack?src=hash> to Russia
Pwn All The Things added,
*CrowdStrike*@CrowdStrike
New hacker claims credit for DNC hack. CrowdStrike fully stands
by attribution to Russian government
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/…
1 retweet4 likes
Reply
Retweet
1
Like
4
More
*View conversation*
<https://twitter.com/pwnallthethings/status/743230570440826886>
6 retweets12 likes
Reply
Retweet
6
Like
12
More
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- "When you shoot at the king, you best not miss." dave aitel (Jun 16)
- Re: "When you shoot at the king, you best not miss." Adam Shostack (Jun 16)
- Re: "When you shoot at the king, you best not miss." Allen (Jun 17)
- Re: "When you shoot at the king, you best not miss." Paul Melson (Jun 17)
- Re: "When you shoot at the king, you best not miss." Allen (Jun 17)
- Re: "When you shoot at the king, you best not miss." spacerog () spacerogue net (Jun 16)
- Re: "When you shoot at the king, you best not miss." Mara Tam (Jun 17)
- Re: "When you shoot at the king, you best not miss." Thomas Quinlan (Jun 17)
- Re: "When you shoot at the king, you best not miss." Adam Shostack (Jun 16)