Welcome to European Tribune. It's gone a bit quiet around here these days, but it's still going.

DNC Server Intrusion and Unswered Questions [Update]

by Oui Fri Jan 26th, 2018 at 07:07:59 PM EST

Off the Cuff - Off the Mark :: Posted on twitter by Emptywheel ...

The geographical location of The Netherlands on a crucial Internet node and has forced the Dutch to specialize on cyber security by willing to go on the offense. For many years I have posted diaries and comments to illustrate this fact. The Dutch for decades have been "proud" followers of the AngloSaxon nations of Canada, USA and Great Britain on gathering intelligence. The Dutch are a key player in the Nine Eyes. Amsterdam Schiphol airport hosts a Mossad local branch according to Rafi Eitan in an interview.

Recently the AIVD head Rob Bertholee was interviewed on a TV program called College Tour and revealed the Dutch will not be sharing all intelligence with NSA / FBI under leadership of Trump in the White House ...?? The AIVD will be selective. Where and from which agency have I heard that warning before?

There are still too many open questions left unanswered as:  "Why didn't the FBI do an extensive search of the compromised DNC servers but left a troublesome CrowdStrike with links to the Ukraine and the Atlantic Council make up the report on the "hack." Most likely was the primary intrusion made by Guccifer and others followed. Another pressing question is why the Obama administration and the FBI failed in securing the DNC servers, knowing about Cozy Bear and Fancy Bear from the summer (June?) of 2014. In July the MH-17 crash took place near Donetsk in Eastern Ukraine after the European authorities were warned of the potential threat of Buk missiles ealier in the same month. Why is the intelligence community sitting on such a "threat" to democracy itself by remaining silent and not act adequately for months.

See yesterday's diary @BooMan ...

Dutch Hackers Infiltrated Kremlin's Cozy Bear in 2014

More below the fold ...

[Update-1] In the aftermath of the coup d’état in Kiev, Ukraine, exploited by the US, Russia decided to push its effort in asymmetrical warfare of cyber attacks on United States Government (USG) entities. Touché! Although the FBI and NSA knew through Dutch intelligence what the “Dukes” were up to, the attack on the State Department in November 2014 took 24 hours to repel.

From a February report, many government agencies were vulnerable to malware and hacking due to unpatched software! Blame the Russians, of course. DNC’s poor Internet security blew the presidential election for Hillary Clinton … thx DWS.

Three months from the incursion in the network of the U.S. State Department e-mail system, US specialists are still working to secure the networks

In November 2014 the State Department has taken the unprecedented step of shutting down its entire unclassified email system in response to a suspected cyber attack.

‘Activity of concern’ was detected in the system concurrently with another cyber attack which hit the network at the White House computer network. A State Department staffer answering a call to the State Department Operations Center revealed that, as a precautionary measure, the e-mail system remained down.

    The system outages was caused “as a result of measures we have taken to defend our network,” said the official.

    According the experts the hacker was engaged in reconnaissance, there is no evidence of data breach, neither of sabotage. The attacker was trying to discover the composition of the unclassified White House network.

In the same period, other US agencies were targeted by hackers, including the U.S. Postal Service and the National Weather Service, the U.S. Military confirmed that its systems were secured, according to official sources, none of the State Department’s classified systems were affected.

The State Department personnel were asked to stop using official emails and use Gmail instead.

In November, Government officials reported to the ABC News agency that hackers have compromised computing systems in many nation’s critical infrastructure .

    A recent report published [cached] by The Federal Government’s Track Record onCybersecurity and Critical Infrastructure, provides a scaring picture on the nation’s defense situation.

    Over 48,000 successfully cyber attacks breached the US defense, they were caused by the failure to employ very basic security measures, weak passwords, unpatched software and inadequate controls are the principal causes of the incidents observed in US government infrastructure.

The attackers have infected the software that runs in the critical infrastructure with a malware, the circumstance creates a lot of anxiety in Intelligence and military industry due to the vital role of the hacked architecture. Sources reported to the news agency that the attacks appear to be state-sponsored hacking campaign and that the Russia is the nation that is coordinating them.

END of Update-1

[Update-2] FBI and Homeland Security detail Russian hacking campaign in new report | The Guardian – Dec. 29, 2016 |

Experts say report is too little too late and comes after several others from private sector detailing alleged exploits of groups Fancy Bear and Cozy Bear.

The US Department of Homeland Security (DHS) and FBI have released an analysis of the allegedly Russian government-sponsored hacking groups blamed for breaching several different parts of the Democratic party during the 2016 elections.

The 13-page document, released on Thursday and meant for information technology professionals, came as Barack Obama announced sanctions against Russia for interfering in the 2016 elections. The report was criticized by security experts, who said it lacked depth and came too late.

“The activity by [Russian intelligence services] is part of an ongoing campaign of cyber-enabled operations directed at the US government and its citizens,” wrote the authors of the government report. “This [joint analysis report] provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the US government.”

The government report follows several from the private sector, notably a lengthy section in a Microsoft report from 2015 on a hacking team referred to as “advanced persistent threat 28” (APT 28), which the company’s internal nomenclature calls Strontium and others have called Fancy Bear. Also mentioned in the government document is another group called APT 29 or Cozy Bear.

The Microsoft report contains a history of the groups’ operation; a report by security analysts ThreatConnect describes the team’s modus operandi; and competing firm CrowdStrike detailed the attack on the Democratic National Committee shortly before subsequent breaches of the Democratic Congressional Campaign Committee and the Hillary Clinton campaign were discovered.

Security experts on Twitter criticized the government report as too basic. Jonathan Zdziarski, a highly regarded security researcher, compared the joint action report to a child’s activity center.

Tom Killalea, former vice-president of security at Amazon and a Capital One board member, wrote: “Russian attack on DNC similar to so many other attacks in past 15yrs. Big question: Why such poor incident response?

END of Update-2

[Update-3] The give-away by NSA director Robert Ledgett in a speech at the Aspen Forum in March 2017 …

Candid camera: Dutch hacked Russians hacking DNC, including security cameras | Ars Technica |

Based on the images, analysts at AIVD later determined that the group working in the room was operated by Russia’s Foreign Intelligence Service (SVR). An information and technology sharing arrangement with the National Security Agency and other US intelligence agencies resulted in the determination that Cozy Bear’s efforts were at least in part being driven by the Russian Federation’s leadership—including Russian President Vladimir Putin.

The data collected by AIVD began to pay off in November of 2014, when the agency alerted US intelligence officials that the Cozy Bear group had obtained login credentials and email from US State Department employees. enabling the National Security Agency, the Federal Bureau of Investigations, and the State Department to shut down the attack within 24 hours. A later attack on the White House was also picked up by the AIVD analysts, de Volkskrant’s Huib Modderkolk reported.

In a speech at the Aspen Forum in March of 2017, NSA Deputy Director Robert Ledgett described the effort to defend the State Department as “hand-to-hand combat,” acknowledging that information on the attack had come from a then-unnamed ally. At that time, unnamed current and former intelligence officials had indicated to The Washington Post that said ally had gained access to both the hackers' computers and the surveillance cameras inside their workspace.

Details emerge about 2014 Russian hack of State Department: It was 'hand-to-hand combat'

The NSA defenders, aided by the FBI, prevailed over the intruders, who were working for a Russian spy agency. Private sector analysts have given the hacking group various names, including Cozy Bear, APT29 and The Dukes. That group also compromised unclassified systems at the White House and in Congress, current and former officials said.

The NSA was alerted to the compromises by a Western intelligence agency. The ally had managed to hack not only the Russians' computers, but also the surveillance cameras inside their workspace, according to the former officials. They monitored the hackers as they maneuvered inside the U.S. systems and as they walked in and out of the workspace, and were able to see faces, the officials said.

The Russians' heightened belligerence is aimed not just at collecting intelligence, but also confronting the United States, said one former senior administration official. "They're sending a message that we have capabilities and that you are not the only player in town," said the official.

Cyber Threats: Perspectives from the NSA and FBI | Aspen March 21, 2017 |
Claims GCHQ wiretapped Trump 'nonsense' - NSA's Ledgett | BBC News – March 18, 2017 |

End of update-3

The DNC's Evolving Story about When They Knew They Were Targeted by Russia | Emptywheel - Dec. 16, 2016 |

This week's front page story {NYT] about the Democrats getting hacked by Russia starts with a Keystone Kops anecdote explaining why the DNC didn't respond more aggressively when FBI first warned them about being targeted in September. The explanation, per the contractor presumably covering his rear-end months later, was that the FBI Special Agent didn't adequately identify himself.

    His message was brief, if alarming. At least one computer system belonging to the D.N.C. had been compromised by hackers federal investigators had named "the Dukes," a cyberespionage team linked to the Russian government.

    The F.B.I. knew it well: The bureau had spent the last few years trying to kick the Dukes out of the unclassified email systems of the White House, the State Department and even the Joint Chiefs of Staff, one of the government's best-protected networks.

This has led to (partially justified) complaints from John Podesta about why the FBI didn't make the effort of driving over to the DNC to warn the higher-ups (who, the article admitted, had decided not to spend much money on cybersecurity).

    The low-key approach of the F.B.I. meant that Russian hackers could roam freely through the committee's network for nearly seven months before top D.N.C. officials were alerted to the attack and hired cyberexperts to protect their systems. In the meantime, the hackers moved on to targets outside the D.N.C., including Mrs. Clinton's campaign chairman, John D. Podesta, whose private email account was hacked months later.

    Even Mr. Podesta, a savvy Washington insider who had written a 2014 report on cyberprivacy for President Obama, did not truly understand the gravity of the hacking.

This NYT version of the FBI Agent story comes from a memo that DNC's contractor, Yared Tamene, wrote at some point after the fact. The NYT describes the memo repeatedly, though it never describes the recipients of the memo nor reveals precisely when it was written (it is clear it had to have been written after April 2016).

Prior articles or archived diaries ...

Dutch Cooperated with Sergei Mikhailov (FSB)
Dark Web: Hansa Market Seized by Dutch Police
GCHQ and EU Intelligence Eavesdropped on Trump Tower Communication
Metadata collection by Dutch MIVD instead of NSA

One of the last releases from WikiLeaks save for the Vault8 papers ...

A Fishy WikiLeaks Dump Targets Russia For a Change | Wired - Sept. 20, 2017 |

At this point, it's commonplace for US government power dealings, investigations, and surveillance tactics to come to light, whether from leaks or whistleblowers. But a new release from WikiLeaks pivoted the focus to Russia, offering a look at some technical aspects of how Moscow spies on its citizens online.

Much of the information in the dump was already publicly available; the release wasn't exactly the type of radical secret-sharing WikiLeaks typically engages in. And security and privacy analysts agree that the documents support, rather than expand, the existing picture of how Russian surveillance works. But with oppressive surveillance and censorship posing an increasingly grim human-rights threat in Russia, experts caution against writing the release off altogether.

"It doesn't solve the problem that we know very few things about what's going on on the side of the FSB," says Andrei Soldatov, a Russian journalist who specializes in investigating digital surveillance and Russian government intelligence like the Federal Security Service. "But nevertheless I decided that I need to praise this release, because it's more than nothing. At least we got some hint about the data exchange interface between telecoms and secret services."
Spy Files

The 35 documents in the WikiLeaks "Spy Files Russia" dump pertain to a St. Petersburg-based company known as Peter-Service, a software and technology vendor that apparently contracts on Russian government surveillance projects. Many of the documents describe how Peter-Service participates in Russia's digital surveillance operation,known as System for Operative Investigative Activities (SORM). Specifically, the release includes information on how the company works with state agencies to collect and share mobile data.

How Kaspersky AV reportedly was caught helping Russian hackers steal NSA secrets | ArsTechnica - Oct. 11, 2017 |

Reports say Israeli spies burrowed inside Kaspersky's network caught Russia red handed.

Last week, The Wall Street Journal dropped a bombshell when it reported that Russian government hackers located confidential National Security Agency material improperly stored on an employee's home computer with help from Kaspersky antivirus, which happened to be installed. On Tuesday, The New York Times and The Washington Post provided another shocker: the Russian hackers were caught in the act by spies from Israel, who were burrowed deep inside Kaspersky's corporate network around the time of the theft.

Moscow-based Kaspersky Lab disclosed the intrusion into its network in mid-2015. Kaspersky released a detailed report that said some of the attack code shared digital fingerprints first found in the Stuxnet worm that sabotaged Iran's nuclear program. When combined with other clues--including the attackers' targeting of entities located in the US, which is off limits to the NSA--most analysts concluded that the 2014 hack was carried out by Israel. At the time, Kaspersky Lab researchers said that the hackers appeared most interested in data the company had amassed on nation-sponsored hackers.

Dutch Hackers Infiltrated Kremlin's Cozy Bear in 2014

'Sapere aude'

by Oui (Oui) on Thu Feb 15th, 2018 at 01:03:22 PM EST
"entities located in the US, which is off limits to the NSA" : this assumption has proved to be an error as has the "transparency" (read: conspicuous) of state purposes and actions to observers.

That "arc" of public interest is one story the press will not directly or indirectly address, although the evidence is all around us.

Diversity is the key to economic and political evolution.

by Cat on Fri Feb 16th, 2018 at 06:09:09 PM EST
DNC and the Clinton campaign was told by the Sanders data processing staff their computer security was non-existent.  Instead of fixing the problems the Clinton campaign and the DNC chose to use the profession courtesy of the Sanders people to attack Sanders.


She believed in nothing; only her skepticism kept her from being an atheist. -- Jean-Paul Sartre

by ATinNM on Tue Feb 20th, 2018 at 07:22:01 PM EST

Go to: [ European Tribune Homepage : Top of page : Top of comments ]