Re: Our Man in London: The Scandal of the 35-Page ‘Intellige
Posted: Fri Jan 20, 2017 6:38 pm
The Hacking Evidence Against Russia Is Extremely Weak
by WashingtonsBlog
December 18, 2016
NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT
Last week, German security officials said that Russia hacked secret German communications and provided them to Wikileaks (English translation).
But now, German officials say that the communications were likely leaked from an insider within the German parliament, the Bundestag (English translation).
Similarly, when a treasure trove of secret NSA tools were revealed, Russian hackers were initially blamed.
But it turns out that it was probably a leak by an NSA insider.
So claims that Russia is behind any specific hacking incident need to be taken with a grain of salt …
A group of high-level former American intelligence officials – including the man who designed the NSA’s global surveillance system (Bill Binney), a 27-year CIA official who personally delivered the daily briefing to both Democratic and Republican presidents (Ray McGovern), and others – say that the Democratic Party emails were not hacked, but were actually leaked by insiders.
A former British intelligence analyst and British Ambassador to Uzbekistan (Craig Murray) alleges that he personally met the leaker, and that it was an American working for the NSA.
But whether or not these American and British intelligence officials are right that the Democratic emails were leaked by insiders as opposed to hacked by Ruskies, the fact remains that the evidence for Russian hacking is very weak.
Initially, the main allegation for Russia hacking Democratic emails to throw the election for Trump is that Wikileaks released Democratic – but not Republican – emails.
However, the RNC says that their cybersecurity stopped attempts to hack into their computers. If true, then it may be that the Dems were simply more careless than the GOP. Indeed, John Podesta fell for a basic phishing scam.
Moreover, it’s famously difficult to attribute the source of hacks.
A leading IT think tank – the Institute for Critical Infrastructure Technology – points out:
James Carden – a former Advisor to the US-Russia Presidential Commission at the US State Department – writes:
Craig Murray notes:
Andrew Cockburn asks some hard-hitting questions:
So while Russia may have hacked the Democratic emails and then delivered them to Wikileaks, the evidence is extremely weak.
by WashingtonsBlog
December 18, 2016
NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT
YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.
Last week, German security officials said that Russia hacked secret German communications and provided them to Wikileaks (English translation).
Russia hacked secret Bundestagsakten. According to the security authorities, the documents of the NSA investigation committee published by Wikileaks are probably from the Russian cyber attack on the Bundestag.
by Markus Wehner and Eckart Lohse
Berlin
November 12, 2016
According to the German security circles, Russia is behind the publication of more than 2,400 secret files from the NSA investigation committee of the Bundestag. "There is a high degree of plausibility that the files come from the cyber attack of Russia to the Bundestag in the spring of 2015," said a high security official of the "Frankfurter Allgemeine Sonntagszeitung" (FAS).
The files had been published two weeks ago on the unveiling platform Wikileaks. They are from the period between the spring of 2014 and January 2015. These are files that were stored on a server of the Bundestag administration and were accessible to the deputies of the committee.
The fact that no other files, and in particular none from the period after January 2015, were published, is in the opinion of the security circles that the documents are from the cyber attack on the Bundestag in the spring of 2015, for which Russia is held responsible. Although files from the Chancellor's Office, the Federal Intelligence Agency (BND) and the Federal Office for the Protection of the Constitution continue to be supplied to the committee, no file that has been digitized after January 2015 has been published on Wikileaks.
No "fresh" files at Wikileaks
This also means that the published files were subject to the lowest level of secrecy "closure - for service only". Files classified under the three higher degrees of secrecy were not on the server of the Bundestag, but could only be viewed in the Secretariat of the Parliament (in paper form).
It is unlikely that the files from a parliamentary office in the Bundestag were passed on to Wikileaks. For then it would have been tried to publish as much "fresh" files as possible.
The NSA committee is investigating the massive data surveillance of the American intelligence agency NSA and in this context the role of the BND. The publication of the documents is, in the opinion of the security circles, a parallel case to the hacker attack on the servers of the Democratic Party in the United States. For him, the American, but also the German news services Russia are responsible. At that time, the captured documents had also been published on Wikileaks and had led to the resignation of Democratic party leader Debbie Wasserman Schultz, as she should have penalized Hillary Clinton's competitor Bernie Sanders. In the federal government it is assumed that Russia will also use the material captured in the hacker attack in the Bundestag election campaign to discredit parties or individual deputies.
In Germany, the BND and the Federal Office for the Protection of the Constitution were commissioned in spring to evaluate the threat of Russian cyber attacks and disinformation. The report of the news services is ready, according to information from the FAS beginning of next year partial release. Then the federal government wants to decide how to tackle the threat.
But now, German officials say that the communications were likely leaked from an insider within the German parliament, the Bundestag (English translation).
Source for revelations in the Bundestag suspects. After the publication of thousands of documents from the NSA investigation committee, Russian hackers had recently been suspected. Now the authorities are leaving a leak in the Bundestag itself.
17.12.2016Because of the Wikileaks documents from the NSA examination committee, the Bundestag police now apparently determined in Parliament.
After the publication of confidential files from the NSA investigation committee the Bundestagspolizei is looking for the perpetrators in parliament, as the news magazine "Spiegel" reports. "A violation of secrecy and a special duty of secrecy" is confirmed, a Bundestag spokesman confirmed to the magazine. Bundestag President Norbert Lammert (CDU) had approved the investigation against unknown. The German Bundestag is a separate police zone.
According to the report, federal security authorities are convinced that not hackers had stolen the 2420 documents published by the Internet platform Wikileaks in early December. There was certainly no evidence that the material had been stolen in the cyber attack on the Bundestag in 2015, it was called into security crises.
The "mirror" pointed out that the Wikileaks material comprised 90 gigabytes, but the infiltrated Bundestagsrechnern only 16 gigabytes of data were stolen. The Cyberattacke apparently also had no members of the Bundestag or employees from the environment of the NSA investigation committee affected.
The "Frankfurter Allgemeine Sonntagszeitung" had cited a high security officer a week ago with the words that there was "high plausibility" for the fact that the secrets published by Wikileaks were captured in the cyber attack on the Bundestag. Russian hackers are responsible for the attack. Also the committee chairman Patrick Sensburg ( CDU ) had not excluded a foreign hacker attack immediately after the publication of the documents.
According to WikiLeaks, the approximately 2400 documents come from various federal agencies such as the Bundesnachrichtendienst and the federal offices for constitutional protection and security in information technology. The documents are intended to provide evidence of cooperation between the US National Security Agency (NSA) and the BND.
Since April 2014, the Committee has dealt with the seemingly all-encompassing data pioneering of the secret services, especially the NSA. Numerous documents are classified as confidential. Often, the Committee meets with the public. It is also about cooperation between the intelligence services in the field of terrorist defense and the underlying, also confidential, agreements between governments. The focus is also on the work of the federal news service.
Similarly, when a treasure trove of secret NSA tools were revealed, Russian hackers were initially blamed.
But it turns out that it was probably a leak by an NSA insider.
So claims that Russia is behind any specific hacking incident need to be taken with a grain of salt …
A group of high-level former American intelligence officials – including the man who designed the NSA’s global surveillance system (Bill Binney), a 27-year CIA official who personally delivered the daily briefing to both Democratic and Republican presidents (Ray McGovern), and others – say that the Democratic Party emails were not hacked, but were actually leaked by insiders.
A former British intelligence analyst and British Ambassador to Uzbekistan (Craig Murray) alleges that he personally met the leaker, and that it was an American working for the NSA.
But whether or not these American and British intelligence officials are right that the Democratic emails were leaked by insiders as opposed to hacked by Ruskies, the fact remains that the evidence for Russian hacking is very weak.
Initially, the main allegation for Russia hacking Democratic emails to throw the election for Trump is that Wikileaks released Democratic – but not Republican – emails.
However, the RNC says that their cybersecurity stopped attempts to hack into their computers. If true, then it may be that the Dems were simply more careless than the GOP. Indeed, John Podesta fell for a basic phishing scam.
Moreover, it’s famously difficult to attribute the source of hacks.
A leading IT think tank – the Institute for Critical Infrastructure Technology – points out:
Malicious actors can easily position their breach to be attributed to Russia. It’s common knowledge among even script kiddies that all one needs to do is compromise a system geolocated in Russia (ideally in a government office) and use it as a beachhead for attack so that indicators of compromise lead back to Russia. For additional operational security, use publically available whitepapers and reports to determine the tool, techniques, and procedures of a well-known nation-state sponsored advanced persistent threat (APT), access Deep Web forums such as Alphabay to acquire a malware variant or exploit kit utilized in prolific attacks, and then employ the malware in new campaigns that will inevitably be attributed to foreign intelligence operations. Want to add another layer? Compromise a Chinese system, leap-frog onto a hacked Russian machine, and then run the attack from China to Russia to any country on the globe. Want to increase geopolitical tensions, distract the global news cycle, or cause a subtle, but exploitable shift in national positions? Hack a machine in North Korea and use it to hack the aforementioned machine in China, before compromising the Russian system and launching global attacks. This process is so common and simple that’s its virtually “Script Kiddie 101” among malicious cyber upstarts.
***
Incident Response techniques and processes are not comprehensive or holistic enough to definitively attribute an incident to a specific threat actor from the multitude of script kiddies, hacktivists, lone-wolf threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats (APTs), who all possess the means, motive, and opportunity, to attack minimally secured, high profile targets.
***
Attribution might be reliable if the target is well-protected, if the target operates in a niche field, or if the malware involved in the incident is unique because one or more of those characteristics can be deterministic of the sophistication and resources of the threat actor. Attribution is less exact in the case of the DNC breach because the mail servers compromised were not well-secured; the organization of a few hundred personnel did not practice proper cyber-hygiene; the DNC has a global reputation and is a valuable target to script kiddies, hacktivists, lone-wolf cyber-threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats (APTs); and because the malware discovered on DNC systems were well-known, publicly disclosed, and variants could be purchased on Deep Web markets and forums.
***
Both APT28 and APT29 are well-known sophisticated threat actors that have been extensively profiled by cybersecurity firms such as FireEye. As a result, their profiles, operational behavior, tools, and malware could all be easily emulated by even an unsophisticated adversary in a campaign against an insecure target such as the DNC, that did not prioritize cybersecurity, cyber-hygiene, or system cyber resiliency. For instance, the cyber-criminal group Patchwork Elephant, known for adopting malware from other campaigns, could easily have also conducted the DNC/ RNC attacks by emulating APT28 and APT29.
James Carden – a former Advisor to the US-Russia Presidential Commission at the US State Department – writes:
Evidence of a connection between the Russian government and the hackers that are believed to have stolen the DNC/John Podesta e-mails remains illusory. Cyber-security expert Jeffrey Carr has observed that “there is ZERO technical evidence to connect those Russian-speaking hackers to the GRU, FSB, SVR, or any other Russian government department.” The very real possibility that non-state actors carried out the hack of the DNC has been conspicuously absent from the mainstream narrative of “Russian interference.”
Craig Murray notes:
Despite himself being a former extremely competent KGB chief, Vladimir Putin [is alleged to have] put Inspector Clouseau in charge of Russian security and left him to get on with it. The Russian Bear has been the symbol of the country since the 16th century. So we have to believe that the Russian security services set up top secret hacking groups identifying themselves as “Cozy Bear” and “Fancy Bear”. Whereas no doubt the NSA fronts its hacking operations by a group brilliantly disguised as “The Flaming Bald Eagles”, GCHQ doubtless hides behind “Three Lions on a Keyboard” and the French use “Marianne Snoops”.
What is more, the Russian disguised hackers work Moscow hours and are directly traceable to Moscow IP addresses. This is plain and obvious nonsense. If crowdstrike [the consulting firm hired by the Democratic National Committee] were tracing me just now they would think I am in Denmark. Yesterday it was the Netherlands. I use Tunnel Bear, one of scores of easily available VPN’s and believe me, the Russian FSB have much better resources. We are also supposed to believe that Russia’s hidden hacking operation uses the name of the famous founder of the Communist Cheka, Felix Dzerzhinsky, as a marker and an identify of “Guccifer2” (get the references – Russian oligarchs and their Gucci bling and Lucifer) – to post pointless and vainglorious boasts about its hacking operations, and in doing so accidentally leave bits of Russian language script to be found.
The Keystone Cops portrayal of one of the world’s most clinically efficient intelligence services is of a piece with the anti-Russian racism which has permeated the Democratic Party rhetoric for quite some time. Frankly nobody in what is vaguely their right mind would believe this narrative.
It is not that “Cozy Bear”, “Fancy Bear” and “Guccifer2” do not exist. It is that they are not agents of the Russian government and not the source of the DNC documents. Guccifer2 is understood in London to be the fairly well known amusing bearded Serbian who turns up at parties around Camden under the (assumed) name of Gavrilo Princip.
Of course there were hacking and phishing attacks on the DNC. Such attacks happen every day to pretty well all of us. There were over 1,050 attacks on my own server two days ago, and many of them often appear to originate in Russia – though more appear to originate in the USA. I attach a cloudfare threat map. It happens to be from a while ago as I don’t have a more up to date one to hand from my technical people. Of course in many cases the computers attacking have been activated as proxies by computers in another country entirely. Crowdstrike apparently expect us to believe that Putin’s security services have not heard of this or of the idea of disguising which time zone you operate from.
One Day’s Attempts to Hack My Own Server – Happens Every Single Day
Pretty well all of us get phishing emails pretty routinely. Last year my bank phoned me up to check if I was really trying to buy a car with my credit card in St Petersburg. I don’t know what the DNC paid “Crowdstrike” for their narrative but they got a very poor return for their effort indeed. That the New York Times promotes it as any kind of evidence is a truly damning indictment of the mainstream media.
Andrew Cockburn asks some hard-hitting questions:
1/ The DNC hackers inserted the name of the founder of Russian intelligence, in Russian, in the metadata of the hacked documents. Why would the G.R.U., Russian military intelligence do that?
2/ If the hackers were indeed part of Russian intelligence, why did they use a free Russian email account, or, in the hack of the state election systems, a Russian-owned server? Does Russian intelligence normally display such poor tradecraft?
3/ Why would Russian intelligence, for the purposes of hacking the election systems of Arizona and Illinois, book space on a Russian-owned server and then use only English, as documents furnished by Vladimir Fomenko, proprietor of Kings Servers, the company that owned the server in question, clearly indicate?
4/ Numerous reports ascribe the hacks to hacking groups known as APT 28 or “Fancy Bear” and APT 29 or “Cozy Bear.” But these groups had already been accused of nefarious actions on behalf of Russian intelligence prior to the hacks under discussion. Why would the Kremlin and its intelligence agencies select well-known groups to conduct a regime-change operation on the most powerful country on earth?
5/ It has been reported in the New York Times, without attribution, that U.S. intelligence has identified specific G.R.U. officials who directed the hacking. Is this true, and if so, please provide details (Witness should be sworn)
6/ The joint statement issued by the DNI and DHS on October 7 2016 confirmed that US intelligence had no evidence of official Russian involvement in the leak of hacked documents to Wikileaks, etc, saying only that the leaks were “consistent with the methods and motivations of Russian-directed efforts.” Has the US acquired any evidence whatsoever since that time regarding Russian involvement in the leaks?
So while Russia may have hacked the Democratic emails and then delivered them to Wikileaks, the evidence is extremely weak.