Dailydave mailing list archives
Re: "When you shoot at the king, you best not miss."
From: Mara Tam <marasawr () gmail com>
Date: Thu, 16 Jun 2016 17:59:28 -0400
Leaving aside problems with assuming that this is definitely state-sponsored, it is worth reading through the Information Security Doctrine of the Russian Federation.[1] N.B. This has been in place since 2000, and is due to be updated shortly. This Diplomaatia piece surveys the substance of likely changes as well as the motivations driving them.[2] There have been interim update of sorts in changes to the military doctrine from 2010,[3] and from 2014.[4] But, lest one be tempted to shout ‘Ah-HA!’, the US and Russia have been working fitfully towards something like the Sino-American and Sino-Russian non-aggression pacts for ICT since 2013. If Guccifer 2.0 is a proxy acting at the direction of the Russian state, then Russia has been caught violating a core tenet of their own ICT security doctrine (i.e. interfering in the internal affairs of a foreign power), which would be very extremely not good.[5] That said, it is worth keeping in mind that an actor contracted by the state to engage in information warfare may contract to non-state clients as well. And here we trip over the fuzzy grey lines separating ‘sponsored’, ‘sanctioned’, and ’tolerated'. Attribution is hard. -mara _________ [1] http://archive.mid.ru/bdomp/ns-osndoc.nsf/1e5f0de28fe77fdcc32575d900298676/2deaa9ee15ddd24bc32575d9002c442b!OpenDocument [2] http://www.diplomaatia.ee/en/article/venemaa-foderatsiooni-soovid-it-valdkonna-reguleerimisel/ [3] https://globalvoices.org/2010/02/23/russian-military-doctrine/ [4] Mostly the same as 2010, some additional language specific to the information space in conflict. https://www.offiziere.ch/wp-content/uploads-001/2015/08/Russia-s-2014-Military-Doctrine.pdf [5] For the purposes of this thought experiment, Georgia, Crimea, Kharkiv, Luhansk, and Donetsk are not ‘foreign’.
On 16 Jun 2016, at 11:26, dave aitel <dave () immunityinc com> wrote:
So I want to point out some things about this really weird DNC Hack. The only example I can think of where a
nation-state hacked someone and then released the documents under a cover-account is North Korea and Sony Pictures
Entertainment. I can see examples of other smaller services (Iran, etc.) doing this as well. North Korea, to be fair,
doesn't have a lot to lose, so acting like this can make sense and probably showed some teeth at an important time.
But Russia is a whole different kind of service! They have important connections to the United States, and having the
first thing Hillary thinks if she wins the Presidency be "Let's get back at Russia for trying to take my campaign
out" seems like a cost-benefit equation that would preclude this kind of action.
Are there other examples of Russian intelligence doing this sort of thing? Is this a change from the norm? Surely
this isn't what Russia wants the new norm to be, right?
-dave
Conversation
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
Now THIS is a really interesting development in #DncHack: @Gawker has & is publishing the DNC's Trump oppo research
97 retweets101 likes
Re
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
This is a big development, because it means whoever did #DncHack to get Trump oppo file was doing it (bear with me)
in *support* of Trump.
View conversation35 retweets43 likes
Reply Retweet 35 Like 43
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
How does this help Trump, you ask? It's a full dump. Trump gets lots of bad news today, but DNC loses ability to use
contents strategically.
View conversation34 retweets45 likes
Reply Retweet 34 Like 45
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
A few observations about this op
1) Another data point in Russian SIGINT strategically leaking stolen data to push a particular narrative.
View conversation22 retweets31 likes
Reply Retweet 22 Like 31
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
2) This para. V. bad for DNC if those are classification markings (but could be campaign "doc is sensitive" bluster)
<ClBSKVuXIAAALo3.jpg>
16 retweets17 likes
Reply Retweet 16 Like 17
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
3) Gosh, I wonder what outlet Russian intelligence is going to use to launder these stolen documents.
<ClBSnM2WkAApNd9.jpg>
21 retweets24 likes
Reply Retweet 21 Like 24
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago
4) If you want to peruse the Trump oppo research directly, here's the PDF:
https://assets.documentcloud.org/documents/2861555/1.pdf …
View conversation28 retweets27 likes
Reply Retweet 28 Like 27
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
5) Site apparently set up by the group that hacked DNC https://guccifer2.wordpress.com/
<ClBYdsHWgAA53kN.jpg>
21 retweets25 likes
Reply Retweet 21 Like 25
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
6) This is all of the text from the hacker's post, in case website gets taken down. Check out the broken English.
<ClBZKsnXEAAC9y2.jpg>
<ClBZLXJXEAAgOyW.jpg>
<ClBZKLTXIAQGlIX.jpg>
<ClBZLaXXIAA3kJ-.jpg>
32 retweets29 likes
Reply Retweet 32 Like 29
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
7) Uh oh. This is an unfortunate document for Russia to stolen from under the noses of the DNC.
<ClBbIr3WQAAgkGx.jpg>
25 retweets29 likes
Reply Retweet 25 Like 29
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
8) Lol. Russian #opsec fail.
<ClBdykWWEAALE9E.jpg>
65 retweets76 likes
Reply Retweet 65 Like 76
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
9) Better #opsec in the "NatSec & Foreign Policy" doc. Attackers using VMs to open some (but clearly not all) docs
<ClBfuApWAAAuD8a.jpg>
10 retweets12 likes
Reply Retweet 10 Like 12
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago
10) Files from Russian Intelligence Agencies can contain viruses. It's safer to stay in Protected View
<ClBhGJUWMAEgFQ7.jpg>
11 retweets19 likes
Reply Retweet 11 Like 19
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
11) Document #5 leaks via tracked changes (thx @TheCyberSecExp) but it's not very interesting, and likely not hacker
<ClBh7IhWEAAO6dV.jpg>
5 retweets9 likes
Reply Retweet 5 Like 9
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
Pwn All The Things Retweeted Peter Johnson
12) To clarify: leak is the RU-lang settings, not name (cover name references "Iron Felix"
https://en.wikipedia.org/wiki/Felix_Dzerzhinsky …)
Pwn All The Things added,
Peter Johnson @alcebaid
@pwnallthethings Felix is really a pseudo
View conversation5 retweets9 likes
Reply Retweet 5 Like 9
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
Pwn All The Things Retweeted (((davi - 德海)))
13) Another #opsec fail. (This happened because they did an Export as PDF, and then later saved, w/ lang set to RU)
Pwn All The Things added,
<ClBfs3FUsAAtuk7.jpg>
(((davi - 德海))) @daviottenheimer
@pwnallthethings "error! invalid hyperlinks" in Russian...
View conversation25 retweets27 likes
Reply Retweet 25 Like 27
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username is founder of USSR secret police & likes
laundering docs via Wikileaks.
View conversation64 retweets62 likes
Reply Retweet 64 Like 62
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago
15) Spot the difference: Left: doc sent to Gawker (page 210). On right, same page in https://guccifer2.wordpress.com/
<ClBrTJtWEAQwnHT.jpg>
<ClBrR5KWkAACaFo.jpg>
13 retweets18 likes
Reply Retweet 13 Like 18
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago
16) Tangentially related: "VantageUploader" is the tool DNC use to share vids. JWT arg leaks author email in base64.
<ClB0Q2LWYAArFdA.jpg>
4 retweets12 likes
Reply Retweet 4 Like 12
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago
17) Final piece of metadata: Creation date and software used to turn DOC into the Gawker PDF (note: could be journo)
<ClB4nXdWgAIRY-K.jpg>
<ClB4nYMWgAEfvcI.jpg>
4 retweets8 likes
Reply Retweet 4 Like 8
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago
18) Metadata from the various docs
<ClB6p5XWgAQZXCn.jpg>
<ClB6p6QXEAAVA4M.jpg>
<ClB6p7gXEAQc0P1.jpg>
5 retweets3 likes
Reply Retweet 5 Like 3
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago
Pwn All The Things Retweeted Florian Wagner
19) @_fl01 points out "Grizli777" indicates that pirated Office (2007) was used by the hacker.
Pwn All The Things added,
<ClB38YpWIAAOOzt.jpg>
Florian Wagner @_fl01
@_fl01 @pwnallthethings Get it now ;) »Grizli777«'s cracked MS Office seems 2b popular among Russians and Romanians.
• Pwn All The Things @pwnallthethings 14h14 hours ago
20) Extra data-point: Author on The Smoking Gun's PDF is different again. (good chance this is TSG's journo)
<ClB-dwjWYAEmW2x.jpg>
4 retweets6 likes
Reply Retweet 4 Like 6
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 3h3 hours ago
21) Missed this yesterday, but the hacker contacted TSG (and probably Gawker) via a GMZ.us (anoymous) email addr
<ClEdqi1WIAA1u9Y.jpg>
7 retweets3 likes
Reply Retweet 7 Like 3
More
• <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 2h2 hours ago
Pwn All The Things Retweeted CrowdStrike
22) A weak data point, but @CrowdStrike also says Guccifer2.0 doesn't change their attribution of #DncHack to Russia
Pwn All The Things added,
CrowdStrike @CrowdStrike
New hacker claims credit for DNC hack. CrowdStrike fully stands by attribution to Russian government
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ …
1 retweet4 likes
Reply Retweet 1 Like 4
More
View conversation6 retweets12 likes
Reply Retweet 6 Like 12
More
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- "When you shoot at the king, you best not miss." dave aitel (Jun 16)
- Re: "When you shoot at the king, you best not miss." Adam Shostack (Jun 16)
- Re: "When you shoot at the king, you best not miss." Allen (Jun 17)
- Re: "When you shoot at the king, you best not miss." Paul Melson (Jun 17)
- Re: "When you shoot at the king, you best not miss." Allen (Jun 17)
- Re: "When you shoot at the king, you best not miss." spacerog () spacerogue net (Jun 16)
- Re: "When you shoot at the king, you best not miss." Mara Tam (Jun 17)
- Re: "When you shoot at the king, you best not miss." Thomas Quinlan (Jun 17)
- Re: "When you shoot at the king, you best not miss." Adam Shostack (Jun 16)