Sunday, August 19, 2018

The Russia Investigation: A High Tech Spy Story

The Details of Russian Interference

As of now, per the last Mueller indictment, Fancy Bear is identified as two cyber units of the GRU, Units 26165 and 74455. They are responsible for infiltrating the DCCC, DNC, and the Hillary Campaign, in particular, the Campaign Manager, Joe Podesta. The initial attacks were through directed emails (called spear phishing by us techies) that can trick the receiver into revealing his password or installing malware. Among the malware, X-Agent was used which was also used in several other Russian operations. X-Agent was used to moved documents to a GRU-based computer in Arizona. According to the indictment, X-Agent was developed, customized, and monitored" by a GRU officer.

One of the clues that Russian was involved was that similar attacks had been made against other countries, including Georgia and Ukraine. In fact, these states have been a “proving ground” for the hacking techniques that are later used against the US and other countries.

As you may remember the emails and other stolen from the DCCC and DNC were strategically released around the Democratic Convent create chaos and anger among Democratic supporters. The Podesta emails were release right after the Hollywood Tapes were revealed to create a distraction for Trump

To create authority, the emails were released in mass through Wikileaks. This meant that reporters were who selectively released the emails. It also allowed the Russians to rewrite and a few false emails mixed with the legitimate.

To create anonymity, the false account, Guccifer 2.0, was established as the front to release the information. The name Guccifer has a history within the hacking community, which assisted in the fiction that it was a lone hacker, not the Russian government, that had stolen and released the data. The real source was later discovered, possibly as expected, but by that time the propaganda had done its intended effect. In this persona, the Guccifer 2.0 team continued to post, at one point being tracked to a Moscow-based server managed buy Unit 74455. They also used a network of virtual private networks (VPNs) in Malaysia which were purchased with the same pool of bitcoins used by the Guccifer 2.0 account.

The Mueller Indictment does not refer to Cozy Bear. The CrowdStrike (and other) security groups identified their profile in hacking the DNC a year earlier than Fancy Bear and went undiscovered until Fancy Bear was detected. Cozy Bear has also been linked to Russian activities, their connection with Fancy Bear was not discussed in the indictment.

In the previous post, I detailed how you can fake popularity (and authority for some readers) by using multiple accounts either by computer or cheap labor. The previous Mueller indictment links these efforts to “front companies” that were associated with the Russian Government. The most well-known is the Internet Research Agency. Fake posts and stories were fabricated using decades of espionage techniques Russia acquired in the Cold War to coop governments, radicalize people, and create disruptions.

In other words, Russia launched a skill marketing campaign that would have won awards on 5th Avenue if it had been for money.

There were more traditional means of infiltrations. Agents traveled to the US to gather intelligence and become part of political movements that could be cooped to Russian goals or encouraged to create social disorder. In addition to several persons listed in Mueller’s 2nd indictment, Marina Butina was arrested, becoming the most famous example.

So, that is a lot of information, and if you read the last post, you can see how this all confirms that we know it was Russians. Let me take a moment to point out the details that let us know the Russian Government was responsible.
  1. Only nation-state actors can do hacks and propaganda campaigns that require this level of skill and coordination with only politics as a goal.
  2. The hacks of the DNC and Hillary Campaign match the Fancy Bear profile. This profile also matches several pro-Russian attacks. NATO, Georgia, and Ukraine were some of the targets.
  3. Tools and resources used by Fancy Bear tie them directly to GRU cyber units, Unit 26165 and 74455.
  4. The use of emails for spear phishing and fake accounts such as Guccifer 2.0 were traced back to Unit 26165 and 74455 of the GRU.
  5. A server in Arizona was used can be linked to front companies maintained by the GRU.
  6. A server in Moscow was used that is own by the GRU Unit 74455.
  7. There is a financial trail of bitcoins that link different aspects of the operation.
  8. Several companies with ties to the Russian Government were responsible for manipulating false stories and post through social media.
  9. Human agents have been identified as entering the US that were part of the propaganda campaign. 
Behind, this we must assume that there are classified sources and computer forensics technique proving all this, and we will never know them, at least not for a while. However, the information that is public should be damning in of itself. Perhaps if you squint your eyes and abandon all critical thought, you could create some convoluted logic to explain it away. But, let me put it this way. What if this had been Iraq, who we have hacked and where we have interfered in their elections? If it had been Iraq, we’d be dropping bombs.

Wednesday, August 8, 2018

The Russia Investigation: No Way It's a 300 lbs Hacker in a Basement


Yes, We Can Know the Russians Interfered in the 2016 Election. Here's How.

Understanding how the Russians interfered in the election involves computer forensics and counter-espionage. It also does not help that new information keeps being discovered. You know this is the third time I started this article and had to start over.  Hopefully, third times the charm.

Let’s start with how we know it was the Russians were the Hackers.

First off, how you can tell which computer the hacks come from? In any two-way communication, both parties must give a way to identify each other. In other words, each needs to give the other a form of address (mailing address, email name, phone number, etc.). That no different when computers talk, in fact, it’s called an ‘ip address’, This is how Google can figure out where your computer is without a GPS. It’s not always good enough to find your computer or house, but it can get within a few blocks. It definitely will tell what country the computer is in.

And it can’t be faked (or ‘spoofed’ as us techies call it). Otherwise, the two computers can’t talk to each other. However, there is a problem. Hackers don’t want to be tracked, so they route through other computers. They hack into one computer and then do all their others hacks from there. In fact, the main reason a hacker may be interested in your computer or mine is not for what’s on it, but so their hacks get traced back to us. While we may see an ip address from Russia, it could be from a hacker in the US. (Though most of the times it’s the other way around.)

However, while you can’t look at an ip address and know the hacker’s computer, they can’t change computers too often so you can know if it’s the same hacker.

And, so brings the next forensic techniques. Hackers are profiled just like serial killers. You may not know how who they are right away, but you track them by the specific way a hacker hacks: what computers used, what software use, who they target, what vulnerabilities exploited, etc. The software left by the hackers (malware) can also be examined for clues. This includes common byte patterns (which indicates the use of the same code) and coding comments which can even show the native language of the programmer.

Now a part that gets confusing. These profiles are tracked by different governments and private companies, and so can have more than one name for the same profile. The two groups connected to the DNC and Podesta emails, Cozy Bear and Fancy Bear, were also known by the memorable names of APT29 and APT28, and many others. Depending on when the news stories where written you can see all these names and understandably be confused.

OK. This is really important to remember. Hackers rarely work alone. Despite, the movies and stories of lone hackers, nowadays hacking is too complicated and time-consuming for individuals to do. And having a team of skilled individuals focusing on the same objective costs money. Serious hacking is not a hobby. It's a job.

That’s' why most hacking groups belong to criminal organizations. And it gets worse for the lone hacker. Once hacking is discovered, companies can fix their software to prevent them. That's part of those monthly updates you are always getting, and why you want to keep your software updated. What this means is that criminal hackers must continuously find new ways to hack. Again, why they can't do it for free and can't do it alone.

There are also 'white hat' hackers who work for universities, research groups, or security company. Though they don't actually hack computers. They look for tricks criminal hackers (black hats) may use. (Us techies call these tricks 'exploits'.)  However, a single exploit is usually not enough to hack a computer. You need several exploits each attacking a different aspect of security: getting past firewalls, avoiding detection, etc. Many exploits are caught before hackers can use them, or even before it’s proven that they are practical. Sometimes its just pure research, and sometimes exploits are sold to the vulnerable company. There is also a black market of exploits.

In other words, hackers are indeed part of broad industry mostly populated by small and large businesses. They are ruled by economics as much as by technology.

One consequence is that criminal hacker must hack in mass, looking for those who have not updated their computers and maximize profit before their hacks are discovered. So then ask yourself, if an individual is hacked with no way of making money, who could do that? Who can engage in expensive endeavors without making money? Governments obviously, and, in particular, intelligence agencies and the military. In other words, spies.

Spies hack differently than criminals. Criminals usually try to get their money as fast as they can, expecting to be discovered. Spies don't need to make money, but the secrets they steal will lose value if the hack is ever found. Often spies have custom software created by government agencies (like the NSA and GRU) that won't be detected by as would other exploits (hopefully).

So now, you can see that within the white/black hat hacking industry, there is a hidden cat and mouse spy game going on, and when spy hackers are discovered, they can be distinguished from your typical criminal hacker. And as with all other espionage, these hacker spies can be identified just as you would non-hacker spies: surveillance, informants, who profit from their activities, etc. Cozy Bear and Fancy Bear have been being observed by intelligence agencies (and not just US) for years and linked to several Russian operations. Some of the targets include NATO, Georgia, and the Ukraine military. Now, who would want to do that?

Saying we don’t know that the Russians are responsible for the Hillary Campaign and DNC are like saying the police cannot tell the difference between a mugger and a bank robber.

Now there is another way the spies acted differently than others. I said before spies want to keep the stolen secrets secret. What I should have said is that they don’t want their stolen secrets known until they are ready. China hacked Obama's ad McCain’s campaign. However, they never released what they stole or used it to interfere in the election. They wanted the information to better predict and negotiate with the next president. However, the Russians did release what they stole, timed to interfere with the election. That added more evidence that it was Russia.

To release the information, they had to set up accounts that can be traced. Granted they were fake and created by fronts, but with subpoena power and cooperation you will get more clues to the source. Even more damning is that you must keep this account and the computers you are releasing them from around longer. In fact, servers leased to front companies were used, not just randomly hack computers. (I speculate that was because you can’t move the vast amounts of data they had undetected on just any computer.)

Now we get to the Russian propaganda campaign.

Let’s start by saying this is not new. Since, even before the Cold War, Russia has been using espionage to interfere with other countries elections. So have we for that matter. England did so to us in 1940 to keep us in WWII.

Basically, you pretend to be a member of the country (or coop existing members) to politically advocate something you want, undermine the existing government, or just cause chaos. The main idea is that to make your action look like they are coming from within the country instead of outside the country. The big difference today is that you can supercharge it with computers.

You may or may not know that I maintain several emails address. You probably do as well, say one for home and one for work. And you probably have a few email addresses that you don’t use. For example, your internet provider probably gives you one that you ignore. And that also means it’s not hard to have a couple of Facebook, Twitter, and other social media accounts. Which means you can ‘follow’, ‘like’, and ‘retweet’ yourself. I have.

There is a good reason for doing that. Sometimes I want the same post to go to a different audience. Sometimes what I post can look different when viewed from other accounts, so I follow myself to check. That, however, can make it look like I’m twice as popular as I am. So, I do it judiciously. But, what if I wasn’t scrupulous. Everything I post will have twice the ‘likes’ and always have at least one retweet. And why stop there. I could set up 10 accounts and be 10 times as popular. Of course, after a while, it would be too laborious, but then it would not be that hard to write a computer program to do it for me. Then I could be 1000, 10,000 times as popular. There is no limit. If I’m willy enough, I could have every one of my posts be so popular they rise to the top of every Facebook and Twitter list. I could be more influential than a Kardashian.

But of course, Facebook and Twitter don’t want me to do that. They have software (and maybe people) always looking for ‘non-human’ behavior to catch precisely this. But, the Russian government had an easy workaround: hire real people. Russia maintains troll farms or web brigades, groups of people employed to perform influence operations. In other words, spread propaganda posing under false identities on the Internet. And again, we can track them back to the Russian GRU through all the techniques I discussed: computer forensics, profiling, and espionage.


So, now I’ve explained how we discovered the Russians interfered in the 2016 election. Next, I’ll go into detail into exactly what happened.

The Russia Investigation: It's Complicated, or Is It?

We keep saying the Russia Investigation is complicated. It’s not. It comes down to three statements:
  1. The Russian Government interfered with the 2016 election by a combination of hacking and propaganda.
  2.  It is possible that members of the Trump Campaign, if not Trump himself, knew beforehand what the Russians were doing or may have even cooperated.
  3.  President Trump attempted to obstruct the investigation by firing Comey and other means.
A lot of the ‘complexity’ is happening because we have a President, a political party, a news network, right-wing radio, and many others doing all they can to make it sound complicated. But that does not explain why other news outlets such as MSNBC says the same. Well, they like to prove things, not just say them. You know, give evidence. That’s where it gets complicated.

The first statement of Russian interference involves computer forensics counter-espionage investigation.

The second statement of the Trump Campaign’s cooperation involves a lot of suspicious meetings and behavior. What makes it complicated is that there is just so much of it. It becomes mind-numbing. Taken individually each event can be explained away. However, the sheer number of them raises suspicion. However, it is still all circumstantial. We may not know who the conspirators are, how they were involved, how much they were involved, or why until the Mueller Investigation provides witnesses, documents, or other evidence. But note, people have been convicted for criminal conspiracy with less circumstantial evidence.

There is so much circumstantial evidence, by the time I list it all more is found. I won’t even try, at least not yet. Instead, I will invite you to discover for yourself. My recommendation is that you just accept that’s there is more than enough and wait until the investigation is done to see the details.

As for the President committing obstruct that’s complicated, because… OK, that’s not complicated at all. He confessed to it, on tape, in front of America and Lester Holms. Any argument that it’s not is just political nonsense. The only reason he is not being impeached in because Republicans control Congress. Why Mueller is still investigating it? No idea. From what I have seen before, prosecutors look for as much evidence as they can, even when it seems like they have enough. That’s especially true when the target is powerful, like say the President of the United States.

With the question of the Trump Campaign’s involvement, I’m not sure I can do more than is already being done by your chosen news source. As for the third and as far as I’m concerned, it’s only a political question, and discussing whether or not Trump obstructed is a waste of time.


However, with how the Russian Government interfered and how we know, I can help a lot. So, check out my next post.